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Other Publications by SoftKey Publishing: 



The Book Of Softkeys Volume II 160 pages 

shows you how to deprotect (softkey): 
Apple Cider Spider— Apple Logo— Arcade Machine— The 
Artist— Bank Street Writer— Cannonball Blitz— Canyon 
Climber— Caverns ofFreitag— Crush, Crumble & Chomp— 
Data Factory 5.0— DB Master— The Dic*tion*ary— Essential 
Data Duplicator I & III— Gold Rush— Krell Logo— Legacy 
of Llylgamyn— Mask Of The Sun— Minit Man— 
Mouskattack— Music Construction Set— Oil's Well- 
Pandora 's Box— Robotron— Sammy Lightfoot— Screenwriter 
II v2.2— Sensible Speller 4.0, 4.0c, 4.1c— the Spy Strikes 
Back— Time Zone vl.l— Visible Computer: 6502— Visidex— 
Visiterm— Zaxxon— Hayden Software— Sierra Online 
Software— PLUS the complete listing of the ultimate cracking 
program... Super IOB 1.5— and more! 



The Book Of Softkeys Volume I 160 pages 

shows you how to deprotect (softkey): 
Akalabeth— Ampermagic— Apple Galaxian— Aztec— Bag of 
Tricks— Bill Budge 's Trilogy— Buzzard Bait— Cannonball 
Blitz— Casino— Data Reporter— Deadline— Disk Organizer 
II— Egbert II Communications Disk— Hard Hat Mack— Home 
Accountant— Homeword— Lancaster— Magic Window II— 
Multi-disk Catalog— Multiplan— Pest Patrol— Prisoner II— 
Sammy Lightfoot— Screen Writer 11— Sneakers— Spy's 
Demise— Starcross— Suspended— Ultima II— Visifile— 
Visiplot— Visitrend— Witness— Wizardry— Zork I— Zork II— 
Zork III— PLUS how-to articles and program listings of need- 
to-have programs used to make unprotected backups. 



CO MPUTIST magazine 

The Magazine For Serious Apple ][ users 

The monthly magazine that shows you, step-by-step, how to remove copy- 
protection from commercial software for the Apple II series of computers. 
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Introduction 

Welcome to the Book Of Softkeys Volume III, a 

compilation of special articles from Hardcore COMPUTIST 
magazine (issues 1 1 through 15) that explain how to remove 
copy-protection from specific commercially-sold, locked- 
up and uncopyable software for Apple ][ computer systems. 

Hardcore COMPUTIST (now called COMPUTIST ) is 
a monthly publication devoted to the serious user of Apple 
][ computers and compatibles. Hardcore COMPUTIST 
magazine contains information you are not likely to find in 
any of the other major journals dedicated to the Apple market. 

Our editorial policy is that we do NOT condone software 
piracy, but we do believe that honest users are entitled to 
backup commercial disks they have purchased. In addition to 
the security of a backup disk, the removal of copy-protection 
gives the user the option of modifying application programs 
to meet his or her needs. 

Furthermore, the copyright laws guarantee your right to 
such a deprotected backup copy: 

..."It is not an infringement for the owner of a copy of a 
computer program to make or authorize the making of another copy 
or adaptation of that computer program provided: 

1) that such a new copy or adaptation is created as an essential 
step in the utilization of the computer program in conjunction with 
a machine and that it is used in no other manner, or 

2) that such new copy or adaptation is for archival purposes 
only and that all archival copies are destroyed in the event that 
continued possession of the computer program should cease to be 
rightful. 

Any exact copies prepared in accordance with the provisions 
of this section may be leased, sold, or otherwise transferred, along 
with the copy from which such copies were prepared, only as part 
of the lease, sale, or other transfer of all rights in the program. 
Adaptations so prepared may be transferred only with the 
authorization of the copyright owner." 

United States Code title 17, §117 (17 USC 117) 

Those of you who are not already familiar with Hardcore 
COMPUTIST are advised to read the How To Use This Book 
article in order to avoid frustration when attempting to follow 
a softkey article or when typing in the programs printed in 
this book. 



& 
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How To 
Use This Book 



Commands And Controls 



Commands which a reader is required to perform are set apart 
from normal text by being indented and bold. An example is: 

PR#6 

The |return| key must be pressed at the end of every such 
command unless otherwise specified. Control characters are shown 
as a single symbol. For example: 



6 IQP1 

To complete this command, you must first type the number 6 and 
then hold the ED key while you press the (E key. Be sure to enter 
the command into the computer by finally pressing the I return | key. 



Requirements 



Most of the programs and softkeys which appear in this book 
require one of the Apple ][ series of computers and at least one disk 
drive with DOS 3.3. Occasionally, some programs and procedures 
have special requirements. The prerequisites for deprotection 
techniques or programs will always be listed at the beginning of 
the article under the 'Requirements:' heading. 



Software Recommendations 



The following programs are strongly recommended for readers 
who wish to obtain the most benefit from our articles: 

An Applesoft Program Editor 

such as Call A.P.P.L.E's Global Program Line Editor (GPLE). 
A Sector Editor 

such as SoftKey's DiskEdit, 

or ZAP from Quality Software's Bag of Tricks, 

or Tricky Dick from Golden Delicious' The CIA. 
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A Disk Search Utility 

such as The Inspector, 

The Tracer from The CIA, 

or The CORE Disk Searcher (in this volume). 

An Assembler 

such as the S-C Assembler, 
or Merlin/Big Mac. 

A Bit Copier 

such as Copy II Plus, 

Locksmith, 

or Essential Data Duplicator (EDD). 

A Text Editor 

(able to producing normal sequential text files) such as: 
Applewriter II, 
Magic Window II, 
or Screenwriter II. 

You will also find COPY A, FID and MUFFIN from the DOS 3.3 
System Master Disk useful. 



Super IOB and controllers 



Several softkey procedures will make use of a Super IOB 
controller, a small program that must be typed into the middle of 
Super IOB. The controller changes Super IOB so that it can copy 
different disks. See the Super IOB 1.5 article and program in the 
The Book Of Softkeys Volume II. Before using any Super IOB 
controllers, read the Csaver article in this volume. 



Reset Into The Monitor 



Some softkey procedures require that the user be able to enter 
the Apple's System Monitor (henceforth called the Monitor) during 
the execution of a copy-protected program. Check the following list 
to see what hardware you will need to obtain this ability. 

Apple 11 Plus - Apple //e - Apple compatibles: 

1) Place an Integer BASIC ROM card in one of the Apple slots. 

2) Use a non-maskable interrupt (NMI) card such as Replay or 
Wildcard. 

Apple 11 Plus - Apple compatibles: 

Install an F8 ROM with a modified reset vector on the motherboard 
as detailed in the Modified ROMs article in this volume. 
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Apple lie. - Apple lie: 

Install a modified CD ROM on the computer's motherboard. Cutting 
Edge Ent. (Box 43234 Ren Cen Station-HC; Detroit, MI 48243) 
sells a hardware device that will give you this ability. Making this 
modification to an Apple lie will void its warranty but the increased 
ability to remove copy-protection may justify it. 



Recommended Literature 



Apple H Reference Manual 
DOS 3.3 manual 

Beneath Apple DOS 

by Don Worth and Pieter Lechner; Quality Software 

Assembly Language For The Applesoft Programmer 

by Roy Meyers and C.W. Finley; Addison Wesley 

What's Where In The Apple 

by William Lubert; Micro Ink 



Typing In Applesoft Programs 



BASIC programs are printed in this Book Of Softkeys in a format 
that is designed to minimize errors for readers who key in these 
programs. To understand this format, you must first understand the 
formatted LIST feature of Applesoft. 

An illustration- If you strike these keys: 

10 HOME:REMCLEAR SCREEN 

a program will be stored in the computer's memory. Strangely, this 
program will not have a LIST that is exactly as you typed it. Instead, 
the LIST will look like this: 

10 HOME : REM CLEAR SCREEN 

Programs don't usually LIST the same as they were keyed in 
because Applesoft inserts spaces into a program listing before and 
after every command word or mathematical operator. These spaces 
usually don't pose a problem except in line numbers which contain 
REM or DATA command words. The space inserted after these 
command words can be misleading. For example, if you want a 
program to have a list like this: 
10 DATA 67,45,54,52 

you would have to omit the space directly after the DATA command 
word. If you were to key in the space directly after the DATA 

The Book Of Softkeys Volume III 7 



command word, the LIST of the program would look like this: 
10 DATA 67,45,54,52 

This LIST is different from the LIST you wanted. The number of 
spaces you type after DATA and REM command words is very 
important. 

All of this brings us to the Hardcore COMPUTIST LISTing 
format. 

In a BASIC LISTing, there are two types of spaces: spaces that 
don't matter whether they are keyed or not, and spaces that MUST 
be keyed. 

The latter spaces are printed here as delta characters ( a ). For 
example: 

10 NOTES = "NOTE 4 THAT' THESE" SPACES' MUST' BE' ENTERED" 
20 VTAB 10 : HTAB 20 : PR I NT N0TE$ ; : REM THE SPACES BETWEEN COMMANDS 
NEED NOT BE ENTERED. 

As you see from this example, other spaces in our BASIC LISTing 
are put there for easier reading and it won't matter whether you 
type them or not. 



Keying In Hexdumps 



Machine language programs are printed here as both source code 
and hexdumps. Only one of these formats need be keyed in to get 
a machine language program. Hexdumps are the shortest and easiest 
format to type in. To key in hexdumps, you must first enter the 
Monitor with CALL -151 [return! . 

Now key in the hexdump exactly as it appears. If you hear a beep, 
you will know that you have typed something that the Monitor didn't 
understand and you must retype that line. 

When finished, return to BASIC by typing E003G(Hi). 
Remember to BSAVE the program with the correct filename, 
address and length parameters as given in the article. 



Keying In Source Code 



The source code portion of a machine language program is 
provided only to better explain the program's operation. If you wish 
to key it in, you will need the S-C Assembler. Without this assembler, 
you will have to convert the S-C Assembler directives (printed in 
Hardcore COMPUTIST # 17) to similar directives used by your 
assembler. 



5 
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The 

Softlkeys 



The sofikeys listed below require Super IOB: 
Computer Preparation SAT 
Demolition Division 
Electronic Arts software 
Hi-Res Computer Golf II 
Master Type vl.7 
MatheMagic 
Penguin Software 
Rocky 's Boots 
Seadragon 
Snooper Troops II 
Tic Tac Show 
Ultima III Exodus 



What is a softkey? 

Softkey is a term which we've coined to 
describe a procedure that removes, or at 
least circumvents, any copy-protection on 
a particular disk. Once a softkey 
procedure has been performed, the 
resulting disk can usually be copied by the 
use of Apple's COPYA program (on the 
DOS 3.3 System Master Disk) and is said 
to be 'COPYAable.' 
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Alien Munchies 

Gentry Software 

Putting The Byte On Alien Munchies 

by Tom Phelps 
(Hardcore COMPUTIST # 15, page 7) 



Requirements: 

Apple ][ with 48K 

Means of resetting into the Monitor 

One slave disk with a null HELLO program 

Alien Munchies by Gentry Software is your common, everyday, 
run of the mill "Fry the aliens on your barbecue grill!" arcade game. 
(Sure, everyday huh?) This game is slow at the beginning and patient 
playing is needed to get to the much more exciting 2nd and 3rd type 
of aliens (10,000 and 20,000 points respectively). 

The method used to deprotect this game illustrates a very useful 
move routine you can use in your own cracks. The problem of 
running out of men before reaching these more challenging stages 
is solved with an example of the art of Advanced Playing Techniques 
(APTs). 

Step-By-Step 

1 1 | Boot Alien Munchies. 

| 2 | [reset] into the Monitor after the picture has come onto the 



screen. 



| 3 1 Move page eight out of the way for a boot: 
2000<800.8FFM 



41 Boot a slave disk with no HELLO program. 



5 I Enter the Monitor: 
CALL -151 

~6~| Move page eight back: 



800<2000.20FFM 
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At this point, the Alien Munchies program is in memory and in 
its proper memory locations. Rather than save a huge chunk of 
memory, let's save some disk space with a move routine. 
Furthermore, to bring the game under control a little better, let's 
include an APT routine. 
| 7 | Compact the code: 
30O0<6O0O.6FFFM 



8 1 Enter the space-saving, relocatable move routine: 



2000: A0 00 A9 00 85 00 85 02 
2008: A9 30 85 01 A9 60 85 03 
2010: Bl 00 91 02 E6 02 E6 00 
2018: DO F6 E6 03 E6 01 A5 01 
2020: C9 40 DO EC EA 

If you disassemble this code, it should look like this: 



2000- 


A0 00 


LDY #$00 


2002- 


A9 00 


LDA #$00 


2004- 


85 00 


STA $00 


2006- 


85 02 


STA $02 


2008- 


A9 30 


LDA #$30 


200A- 


85 01 


STA $01 


200C- 


A9 60 


LDA #$60 


200E- 


85 03 


STA $03 


2010- 


B100 


LDA ($00), Y 


2012- 


9102 


STA($02),Y 


2014- 


E6 02 


INC $02 


2016- 


E6 00 


INC $00 


2018- 


D0F6 


BNE $2010 


201A- 


E6 03 


INC $03 


201C- 


E6 01 


INC $01 


201E- 


A5 01 


LDA $01 


2020- 


C9 40 


CMP #$40 


2022- 


D0EC 


BNE $2010 


2024- 


EA 


NOP 



| 9 | Type in the following APT routine: 

2025: 20 2F FB 

2028: 20 58 FC A2 OB 20 4A F9 
2030: A2 00 BD 62 20 20 ED FD 
2038: E8 E0 12 DO F5 2C 10 C0 
2040: AD 00 CO C9 D9 F0 07 C9 
2048: CE DO F5 4C 00 08 A9 EA 
2050: 8D C9 10 8D CA 10 8D CB 
2058: 10 A9 01 8D FD 12 4C 00 
2060: 08 EA C9 CE C6 C9 CE C9 
2068: D4 C5 A0 CD C5 CE AO A8 
2070: D9 AF CE A9 00 
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A disassembly of this would show: 



2025- 


20 2F FB 


JSR $FB2F 


2028- 


20 58 FC 


JSR $FC58 


202B- 


A2 0B 


LDX #$0B 


202D- 


20 4A F9 


JSR $F94A 


2030- 


A2 00 


LDX #$00 


2032- 


BD 62 20 


LDA$2062,X 


2035- 


20 ED FD 


JSR $FDED 


2038- 


E8 


INX 


2039- 


E0 12 


CPX#$12 


203B- 


D0F5 


BNE $2032 


203D- 


2C 10 C0 


BIT $C010 


2040- 


AD 00 C0 


LDA $C000 


2043- 


C9D9 


CMP #$D9 


2045- 


F0 07 


BEQ $204E 


2047- 


C9CE 


CMP #$CE 


2049- 


D0F5 


BNE $2040 


204B- 


4C 00 08 


JMP $0800 


204E- 


A9EA 


LDA #$EA 


2050- 


8DC9 10 


STA$10C9 


2053- 


8DCA10 


STA$10CA 


2056- 


8DCB10 


STA$10CB 


2059- 


A9 01 


LDA #$01 


205B- 


8DFD12 


STA$12FD 


205E- 


4C 00 08 


JMP $0800 


2061- 


EA 


NOP 


2062- 


C9CE 


CMP #$CE 


2064- 


C6C9 


DEC $C9 


2066- 


CE C9 D4 


DEC $D4C9 


2069- 


C5A0 


CMP $A0 


206B- 


CD C5 CE 


CMP $CEC5 


206E- 


A0A8 


LDY #$A8 


2070- 


D9 AF CE 


CMP$CEAF,Y 


2073- 


A9 00 


LDA #$00 



Unlike the Sammy Lightfoot APT in The Book Of Softkeys 

Volume II, let's make ours optional so you can play normal-style 
or with infinite men and a counter in your number of barbecues 
to tell you what level you're on. 

I 18 | Finally, add a JMP to our special routines before the actual 
program starts: 

7FD:4C 00 20 

I 11 1 Save the new-and-improved Alien Munchies: 
BSAVE ALIEN MUNCHIES, A$7FD,L$5803 



$ 
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I Computer Preparation: SAT g 

■M Harcourt, Brace and Jovanovich, Inc. ^E 

IBs Deprotecting Computer Preparation: SAT ^m 

^^ } by Eddie Fang ^Bf 

gj (Hardcore COMPUTIST # 14, page 6) 




Requirements: 

48K Apple ][, Apple ][ Plus, or Apple lie 

One disk drive with DOS 3.3 

Four blank disks 

Super IOB and the swap controller 

(Optional: File transfer program) 



This computer preparation package by HBJ ranks up at the top 
with Barron's computer preparation course for the SAT. HBJ's 
package has a lot of the major words found on the SAT and a lot 
of similar mathematical and verbal problems, too. 

My problem, however, is that I would like to change the words 
and problems for a younger brother or change the problems that 
I have finished studying to some newer ones. The frustration of 
copying this disk is immense. After trying all of the major bit copiers 
to no avail, I decided to try Super IOB. Here is how I did it! 

First, get the disk that is labeled A. All the disks follow the same 
process, except you will have to modify different programs on 
different disks to get each totally broken. Follow these steps 
carefully: 

| 1 | Boot the first protected disk. When you hear the drive head 
access the first track, hit |Reset| . 

I 2 | Get into the Monitor: 

CALL -151 

| 3 | We must move the RWTS down to a safe location for Super 
IOB to use: 

1900<B800.BFFFM 
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I 4 I When you get the Monitor prompt again, insert your Super 
IOB slave disk and boot it: 

C600G 



j[] Save the RWTS: 



BSAVE RWTS.SAT,A$19O0,L$8O0 



6 I Install the controller at the end of this article (a modified 



version of the swap controller) into Super IOB and execute Super 
IOB: 

RUN 

I 7 I When asked if you wish to format the backup first, reply 
with a ID. This will put DOS on the disk and set the bootup program 
to HELLO. 

I 8 I Copy the other three sides in the same manner (Steps six 
and seven). 

Almost Finished 

You now have a COPYAable version, but if you want to modify 
it, you will have to change a few line numbers of some of the BASIC 
programs. Several of the main programs have a line number which 
looks something like this: 

REM BHISHIieHlBHIeHlOHIIBHIISHllQMlSDl FP 

Whenever you try to list a line like this, DOS sees the 
IQMIBDI FP and clears the program in memory. In other words, 
the program self-destructs when LISTed. This situation is easily 
circumvented by merely eliminating line zero from these programs. 
The general format for doing this is: 

LOAD filename 
DEL 0,1 
SAVE filename 

Remove line zero from these programs on your duplicate disk: 

Math Item Bank Display on the mathematical side. 
Vocabulary Flashcards on the vocabulary flash cards side. 
Verbal Item Bank Display on the verbal side. 
Frank (I don't know why they called it that) on the diagnostic and 
testing side. 

Closing Comments 

You should now have four bootable, completely deprotected and 
modifiable Computer Preparation: SA T disks. I hope this helps you 
as much as it has helped me. 
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controller 



410GOSUB80 ■ HOME :A$ = "FORMATTING" : FLASH : GOSUB 450 : NORMAL 

: PRINT : PRINTCHR$(4) " INITHELLO.S" S2 " ,D" 02 " ,V" VL :VL = 

: RETURN 
1000 REM SWAP CONTROLLER 
1010TK = 3 :ST = : LT = 35 :CD = WR 
1020 Tl = TK : GOSUB 490 : GOSUB 360 : ONERR GOTO 5501030 GOSUB 430 

GOSUB 100 : ST = ST + 1 : I F ST < DOS THEN 1030 
1040 IFBFTHEN 1060 

1050 ST = :TK = TK + 1 : IF TK < LT THEN 1030 
1060 GOSUB 490 :TK = Tl :ST = : GOSUB 360 
1070 GOSUB 430 : GOSUB 100 :ST = ST + 1 : I F ST < DOS THEN 1070 
1080 ST = :TK = TK+1 : IF BF = AND TK < LT THEN 1070 
1090 IF TK < LT THEN 1020 
1100 HOME : PRINT "COPY 4 DONE" : END 
10010 IF PEEK (6400) <> 162 THEN PRINT CHR$ (4) "BLOAD" 

RWTS. SAT, A$ 1900" 



S 
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DLM Software* 

(Development Learning Materials) 

Softkey For DLM Software 

by Chris Chenault & Ray Darrah 
(Hardcore COMPUTIST #13, page 7) 



♦Specifically for: Demolition Division, Alligator Mix, Alien 
Addition, and Minus Mission. 

Requirements: 

48K Apple II or Apple //e 
Super IOB 
A blank disk 



Demolition Division 

Demolition Division is a drill that makes division fun for 
youngsters. In this game, you use your correct answers to shoot 
enemy tanks. You have a choice of speed, difficulty and paddle or 
keyboard control. 



Alligator Mix 



Alligator Mix is a math drill that consists of a mixture of addition 
and subtraction problems. In this game, you can only feed the 
alligator if the answer to the addition or subtraction problem matches 
the answer he has on his tummy. 




Alien Addition is an addition drill made into an arcade game. The 
game gives you the ability to change speed and difficulty levels and 
is one of many great education games that offer children fun while 
they learn. 
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Minus Mission 



In Minus Mission, falling blobs of subtraction problems threaten 
to overcome a robot with green slime. Arcade skill is required as 
well as subtraction skill to save the robot. 

The Softkey To Them All 

For all of these great programs, I have developed a Super IOB 
controller that deprotects them nicely. I think it may work on other 
DLM releases as well as the four mentioned above. 

In any case, here are the steps to follow when deprotecting any 
of these educational masterpieces: 

| 1 | Type in the Super IOB controller at the end of this article 
and save it. 

| 2 | Next, boot a normal DOS diskette and initialize a blank 
disk with the filename the same as the disk you wish to copy. 

INIT program name 



~T\ Execute the Super IOB program with the DLM controller 



installed. 

| 4 | When Super IOB is finished, try to boot the copy. If 
everything comes up OK then you're finished. If you get a FILE 
NOT FOUND, CATALOG the disk and RUN the first file you see. 
This should have been the program name you used in step 2. You 
may go back to step 2 and try again if you like. 

controller 

1000 REM DLM SOFTWARE CONTROLLER 

1010 TK = 3 :ST = : LT = 35 :CD = WR :MB = 130 :D0S= 13 

1015 GOSUB 360 : GOSUB 270 : GOSUB 360 

1020 Tl = TK : GOSUB 490 : GOSUB 360 : ONERR GOTO 550 

1030 GOSUB 430 : GOSUB 100 :ST = ST + 1 : I F ST < DOS THEN 1030 

1040 IF BF THEN 1060 

1050 ST = :TK = TK+ 1 : IF TK < LT THEN 1030 

1060 GOSUB 490 :TK = Tl :ST = : GOSUB 360 

1070 GOSUB 430 : GOSUB 100 : ST = ST + 1 : I F ST < DOS THEN 1070 

1080 ST = :TK = TK+ 1 : IF BF = AND TK < LT THEN 1070 

1090 IFTK< LTTHEN 1020 

1100 HOME : PRINT "EVERYTHING 4 O.K. "NO 4 DOS' ON" COPY" : END 

10010 PRINT CHR$ (4) " BLOAD" RWTS . 1 3 , A$ 1 900 " 



ft 
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Electronic Arts 
Software* 

Deprotecting Electronic Arts 

by Pete Levinthal 
(Hardcore COMPUTIST #13, page 26) 



*Softkeys for: Cut And Paste, The Last Gladiator, and One on One. 

Requirements: 

48K Apple ][, Apple ][ Plus, or Apple lie 
DOS 3.3 disk drive 
Super IOB 
A sector editor 
A blank disk 



Electronic Arts' recent releases have all used very nearly the same 
protection. Their protection scheme has been to change the data field 
prologue bytes from a normal D5 AA AD to a modified D5 BB 
CF on tracks $03 to $20. Tracks $00 to $02 contain the modified 
RWTS to read the new data field bytes and hi-res title page. These 
three tracks are unprotected normal DOS 3.3. In addition, these 
recent releases have a nibble count on track $22, and track $21 is 
unused. 

Remember that the prologue data field bytes tell DOS where the 
data starts on a sector. This is usually identified by the unique 
sequence of bytes D5 A A AD. Electronic Arts has modified these 
to D5 BB CF so normal DOS cannot tell where the data starts and 
hence, an I/O error occurs when copying with COPY A (or some bit 
copiers for that matter). 

So, to deprotect the new Electronic Arts releases we must: 

| 1 | Read the original disk with data field prologue bytes of D5 
BBCF. 

| 2l Write to a normal DOS 3.3 disk with normal data field 
prologue bytes of D5 A A AD. 

1 3| Change the modified Electronic Arts' RWTS to read normal 
D5 A A AD data field prologue bytes. 

| 4 | Disable the nibble count. 
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Easy enough, right? We can use Super IOB to do most of the 
work and then use a sector editor to complete the process. Here 
is the procedure: 

| 1 | Load Super IOB and type in the controller at the end of 
this article. 

| 2 | With the controller installed, run Super IOB. 



Cut and Paste 



When Super IOB is finished, it will have made these sector 



alterations: 










Track 


Sector 


Byte 
68 


From 


To 


01 


0F 


20 


18 


01 


0F 


69 


A2 


60 


01 


0F 


6A 


Al 


EB 



02 03 47 BB AA 

02 03 51 CF AD 



If you have copied Cut and Paste, then that's all. Enjoy your 
backup. 

Pull Out Your Sector Editor 

If you have copied The Last Gladiator or One on One, then you 
will need to pull out your sector editor and make the following 
modifications (to the copied COPYAable disk): 



The Last Gladiator 



Track Sector Byte From To 



IF 


0E 


05 


A0 


18 


IF 


0E 


06 


20 


60 


IF 


0E 


68 


20 


18 


IF 


0E 


69 


A2 


60 


IF 


0F 


05 


A0 


18 


IF 


0F 


06 


20 


60 


IF 


0F 


68 


20 


18 


IF 


0F 


69 


A2 


60 
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Track Sector Byte From To 



09 02 IF 01 FD 



0C 


04 


05 


A0 


18 


0C 


04 


06 


18 


60 


0C 


04 


07 


88 


C8 


0C 


04 


DC 


A0 


18 


0C 


04 


DD 


FF 


60 



Now you're all done! Don't forget to write the sectors back out 
to your COPYAable copy as you change them. 



Electronic Arts controller 



1000 REM ELECTRONIC ARTS 

1010 TK = :ST = : LT = 33 :CD = WR 

1020 Tl = TK : GOSUB 490 : IF TK > 3 THEN RESTORE : GOSUB 210 

1030 GOSUB 430 : GOSUB 100 : ST = ST + 1 : I F ST < DOS THEN 1030 

1035 IF TK = 2 THEN GOSUB 210 

1040 I FBF THEN 1060 

1050 ST = :TK = TK+1 : IF TK < LT THEN 1030 

1060 GOSUB 490 :TK = Tl :ST = : GOSUB 230 : IF TK = THEN GOSUB 

1110 
1070 GOSUB 430 : GOSUB 100 :ST = ST + 1 : I F ST < DOS THEN 1070 
1080 ST = :TK = TK + 1 : IF BF = AND TK < LT THEN 1070 
1090 IF TK<LT THEN 1020 
1100 HOME : PRINT "DONE'WITH'COPY" : END 
1110 POKE 19015 ,170 : POKE 19025 ,173 : POKE 18024 ,24 
1120 POKE 18025 ,96 : POKE 18026 ,235 : RETURN 
62010 DATA 213 ,187 ,207 



S 



20 The Book Of Softkeys Volume III 



The Einstein Compiler v5.3 

The Einstein Corporation 

Softkey For The Einstein Compiler Version 5.3 

by Marco Hunter 
(Hardcore COMPUTIST #11, page 6) 




Requirements: 

48K Apple ][ Plus or equivalent 

One disk drive with DOS 3.3 

A blank disk 

COPY A from the DOS 3.3 System Master 

A sector editing program 



Although it has a few shortcomings, the Einstein Compiler is 
probably the best of its kind available. The compiler produces a 
file which is usually saved as a huge Applesoft program and tricks 
DOS into thinking it is loading an Applesoft file, when it is actually 
loading a compiled program as well as a library of subroutines. But 
that is for a review, and this is a softkey. Suffice it to say that Einstein 
is most likely your best bet in Applesoft compilers. 

Einstein is a program which resides on an essentially normal disk. 
The infamous nibble-count technique is used to ensure that an 
original disk is being used. The procedure for locating a nibble count 
usually involves much time, knowledge of Assembly language and 
Assembly language tricks. A little luck can also come in handy. 
Fortunately, all nibble counts involve some method of accessing the 
disk. Since a disk controller card can reside in any of the Apple's 
slots, the nibble count must adjust itself to the slot being used. The 
most popular method is to load the X- or Y-register with the slot 
number (technically, the slot number * 16) and then to access the 
location C08C + X or C08E + X. In Assembly language, it would 
look like one of these. 

LDA $C08C,X LDA $C08E,X 

LDA $C08C,Y LDA $C08E,Y 

Note: Other options include LDY $C08E,X and LDX $C08C,Y. 
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Since both the register loaded and the index used can change, 
it is best to search for C08C or C08E. Because two-byte addresses 
are always reversed in machine language, the bytes to search for 
are 8C C0 and 8E C0. After locating these bytes on a disk, preferably 
with a disk search utility such as Bag of Tricks or The CIA, you 
should disassemble the code to find out if it is truly a nibble count. 
Try to avoid searching tracks 0-2 because these generally contain 
DOS or some type of RWTS which are usually full of 8CC0's, but 
not nibble counts. Many times the code around a nibble count will 
contain many PLA's and PHA's. The software companies hope that 
by playing around with the stack they can fool most people. 

Once you have located a nibble count, you can eliminate it in 
several ways. You could either put an RTS (return from subroutine) 
at the beginning, NOP (no-operation does nothing) the entire routine, 
jump out of it, or avoid jumping into it in the first place. Keep in 
mind, however, that some companies also protect their disks by 
including checksum routines which can detect the presence of altered 
code. Sierra On-Line is one company known to do this (See SOL: 
Sierra OnLine Software article on page 108 of The Book Of 
Softkeys Volume II). 

Of course, some knowledge of Assembly language is an invaluable 
aid when tracking down protection schemes. If you don't happen 
to know any Assembly language yet, it would be well worth your 
time to pick up a good book on it. Assembly language is not as 
mysterious and hard to learn as many people would have you believe. 
If you can learn the hexadecimal number system and condition 
yourself to think in it when necessary, half the battle of learning 
Assembly language will be behind you. Even if you never write 
a single Assembly language program, just being able to follow code 
written by others is a valuable skill. 
Well, enough talk. On to the process! 

I located the bytes on Einstein and figured out a way to jump 
around the routine, so that everything went as normal. 



I 1 1 Make a copy of Einstein with COPY A. 


I 2 | Use your sector editor to modify: 

Track Sector Byte From To 


08 04 2A 
08 04 2B 
08 04 2C 


BD 4C 

8C E2 
C0 91 


*r 
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Escape From Rungistan 

Sirius Software 

Softkey For Escape From Rungistan 

by Chris Chenault 
(Hardcore COMPUTIST #15, page 6) 




Requirements: 

48K Apple ][ or Apple lit 
One disk drive with DOS 3.3 
A sector editor 



Escape from Rungistan is a unique adventure featuring graphics, 
sound and animation. At the beginning of the game, you awake in 
a foreign prison and hear the guard say that you are to be shot at 
sunrise. There is no other choice but to attempt to break out. As 
the game progresses, you battle bears, snakes and test your skiing 
ability. 

This adventure is written with an 'Old West' flavor and the author 
shows a great sense of humor. To aid your efforts at playing this 
game, the author added a clue file to keep you from getting too 
flustered. 

Escape With Diskview 

The locking procedure on this disk consists of a combination of 
many fairly simple procedures, but together they give you endless 
trouble. I used DiskView to discover that this is a DOS 3.3 disk 
with the last byte of the address prologue marker changed to $F7 
from $96 on tracks $03-$22. 

Using this pre-analysis, it seems to be a disk that a slightly 
modified COPY A would deprotect. Unfortunately, because some of the 
last few tracks have been damaged for protection, this won't work. 

I finally came up with the following method after discovering that 
it had a normal CATALOG on the correct track and a greeting 
program called START. I discovered this with the help of DiskEdit. 
Now for the procedure. 
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Step-By-Step 

I 1 I Boot the DOS 3.3 System Master disk. 

I 2 I Insert a blank disk and format it with START as the boot 
(greeting) file: 

INIT START 

I 3| Re-insert DOS 3.3 System Master and load FID: 
BLOAD FID 

I 4 I Write-protect your Escape From Rungistan disk. 

I 5 | Drop into the Monitor and modify DOS so that the last byte 
of the address prologue is ignored: 

CALL —151 
B969:29 00 

I 6 | Start FID going: 
803G 

I 7 I Copy all the files (using the = wildcard feature of FID) 
to the disk you INITed in step 2. 

I 8 I W hen F ID informs you that a file named START already 
exists, hit Ibeturn) so that we will get the file from the Rungistan 
disk. 

The copy at this point won't work because the DOS on the original 
disk has strange DOS commands. This is how they have been altered: 

Normal Command Rungistan Command 



RUN 


ARC 


CLOSE 


SVRTT 


READ 


DNRT 


OPEN 


CBSE 


MAXFILES 


FILMAXES 


BSAVE 


AVESB 


BLOAD 


ODABL 


X OTHERS 


rubbed out 



_9] Use your sector editor to read track $01, sector $07 from 



the original disk and write it to your new unlocked disk. This changes 
the commands to Rungistan commands). 

You're done! To CATALOG your new disk, study the code and 
do APTs, simply boot a normal disk before starting. Your copy of 
Escape From Rungistan is COPYAable. 



S 
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Financial Cookbook 

Electronic Arts 

Deprotecting The Financial Cookbook 

by Pete Levinthal 
(Hardcore COMPUTIST #15, page 6) 




Requirements: 

Apple ][ 

A Replay card, Wildcard or other 48K copy card 

A blank disk 

COPY A from the DOS 3.3 System Master 

A sector editor 



Here is a quick-and-dirty method to copying the Financial 
Cookbook from Electronic Arts. This method requires a copy card 
such as the Replay or Wildcard. 

Since the Financial Cookbook requires 64K of memory to run, 
it is no big deal to use a copy card to load the program back in. 
The trick to this method is to copy memory at just the right time. 
The object is to escape the protection but catch the program before 
it starts loading into the RAM card (thus preventing us from having 
to copy 64K of memory). 

The Cookbook disk is completely copyable with COPY A except for 
track 6, which is the nibble count track. The boot proceeds like any 
other Electronic Arts release: it loads a title page and then does a 
nibble count and loads the program. Listen to the program load and 
you will hear the nibble count (sounds weird, eh?). We want to copy 
memory after the nibble count but before the RAM card is activated. 
Just after the nibble count, the drive will stop and the text page will 
flutter for a second. Press the copy card switch at this instant. You 
will only have a second or two to do it. You may have to practice 
a few times. 

After this process, use your copy card utility disk to make binary 
files of the memory. 

Now copy tracks $12 to $14 of the original Financial Cookbook 
to a blank initialized disk using a slightly modified COPY A then run 
a sector editor and change bytes $80 to 00 00, bytes $84 to 
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00 00, bytes $88 to 00 00, bytes $3C to 00 00 and bytes $40 to 
00 00 to allocate tracks $12 to $14 and the DOS tracks as used in 
the VTOC. Finally, copy the binary (B) files of memory to this disk 
using FID or some other utility. 

You're all done! Just BRUN the memory files and, if all went 
correctly, the program will restart, read in some data from tracks 
$12 to $14 and all is fine. 

Step-By-Step 

| 1 | Boot the Financial Cookbook and after the title page and 
the nibble count, and just after the drive stops (for just a second!), 
hit the copy card switch. 

| 2 | Copy all 48K of memory. 

| 3 I Process the copied memory using your copy card utility 
disk to create normal binary files from it. 

| 4 | Start COPYA going, then break it at the title page: 

RUN COPYA 

Bel 

I 5 1 Enter the Monitor: 
CALL —151 



j[] Make COPYA so that it will only copy specific tracks: 



302:16 

35F:16 

2DE:20 BO 02 

2B0:A9 OF 8D Dl 02 8D D2 02 60 

3D0G 

70 

RUN 

| 7 | When the copy is done, get out your sector editor and make 
the following changes to your freshly created disk: 
Track Sector Bytes To 

~$1 

$1 
$1 
$1 
$1 



$00 



$80, 


$81 


$00, $00 


$84, 


$85 


$00, $00 


$88, 


$89 


$00, $00 


$3C, 


$3D 


$00, $00 


$40, 


$41 


$00, $00 



| 8 | Finally, transfer the memory files to this disk using FID. 
Now you're all done! Just BRUN the memory files to restart the 
program. 

a 
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Flip Out 

Sirius Software 



Deprotecting Flip Out 

by Clay Harrell 
(Hardcore COMPUTIST # 12, page 11) 




Requirements: 

48K Apple ][ or Apple ][ Plus with old-style F8 Monitor ROM 
One blank initialized DOS 3.3 disk 



Flip Out is a hi-res strategy game from Sirius Software (R.I. P.) 
which requires you to send all ten of your marbles through the 
playing course before your opponent does. Each player starts with 
ten of his opponent's marbles and then takes turns dropping these 
marbles into the Flip Out playing field (of which there are many 
variations). Your first goal is to trap your opponent's marbles in 
a spot where they will be difficult to recover. Each marble dropped 
may cause a chain reaction, so some strategy is required. After the 
players have dropped all ten of their opponent's marbles, they begin 
to drop their own marbles through the course. This continues until 
one of players wins by getting all his marbles through the course. 

Who Stole the ROMS? 

Flip Out is well done and challenging! But after I bought it and 
was done playing a game, I hit 1reset| and did not see the usual 
Monitor prompt (I have an old-style F8 Monitor ROM on the 
motherboard). My computer rebooted as if I had a new-style F8 
Monitor ROM! This intrigued me into investigating this strange 
phenomenon. 

What I discovered was that the main program (not the boot code) 
will copy an image of the new-style F8 Monitor ROM into a slot 
RAM card if one is found. Of course, I had a RAM card and 
they had it turned ON instead of the motherboard ROMs. It is easy 
to understand what they are doing if you just remember what 
memory the RAM card occupies. 

The RAM card occupies memory from $D000 to $FFFF. This 
may seem strange since the motherboard ROMs (Applesoft and the 
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monitor) also occupy $D000 to $FFFF. However, there are a set 
of soft switches that can turn ON motherboard ROMs or turn ON 
the RAM card. An example of this occurs when you boot your 48K 
DOS 3.3 system master and it loads Integer BASIC into the RAM 
card. Now you have two languages available that occupy the same 
logical memory space, $D000 to $FFFF. You can switch between 
the two with INT and FP. When the INT command is typed in, the 
soft switches are thrown so that the language card is read-enabled. 
Likewise, the FP command read-enables the motherboard ROMs. 
If you read your RAM card manual you can see that the Softswitch 
at memory location $C080 (assuming your RAM card is in slot zero) 
will allow you to look at your RAM card's memory. But have you 
ever tried typing $C080 from the Monitor? It will lock up your 
Apple, requiring you to power OFF and then back ON again to 
recover. 

Recovering the ROMS 

This phenomenon occurs because you have switched to the RAM 
card's memory $D000— $FFFF and turned OFF the motherboard's 
ROMs. When you do this, the computer loses control since there 
is no longer a Monitor ROM available from $F800— $FFFF to 
oversee your Apple's operations! You cannot recover from this 
condition, even with a I reset | . 

To get around this problem you must first type: 

C081 C081 N F80O<F8OO.FFFFM 

from the Monitor. This reads the motherboard's ROM, but allows 
you to write to bank 2 of the RAM card. It moves the F8 
motherboard ROM into $F800— FFFF in bank 2 of the RAM card! 
Now you may type C080 to turn ON the RAM card and look at 
its memory, since a copy of the $F8 monitor ROM is in the RAM 
card from $F800 to $FFFF. 

This is what Sirius and other software publishers will sometimes 
do to prevent people from utilizing their RAM cards for deprotection 
purposes. With a RAM card in slot 0, no matter what $F8 ROM 
you have in the motherboard, your Apple will only look at the new 
style $F8 ROM image in your RAM card. Thus, the Apple clears 
memory and reboots when I reset | is pushed! This is an easy 
problem to fix, now that we have identified it. Just take your RAM 
card out of your computer and you may I reset | into the Monitor as 
usual. As demonstrated in the softkey for Sensible Speller (see article 
on page 82 of this volume of The Book Of Softkeys), you can 
sometimes get away with moving your RAM card to a slot other 
than where the program does not expect to find a RAM card. 

Flip Out is a single-load program. To deprotect single-load 
programs, there are 3 basic things which we need to determine: 
1. What memory is used by the program. 2. The starting address 
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of the program. 3. How to get the memory saved to a normal DOS 
3.3 disk and reloaded back into memory in the proper place(s). 

Keep these three items in mind as we snoop through Flip Out 
or any other single load game. 

Sirius has changed its protection schemes a lot in the last few 
years. The height of their protection mania was demonstrated in 
games like Bandits and Fly-wars. The problem with hi-tech 
protection is that a program might not boot on a Rana drive, or on 
an Apple lie or some other flavor of Apple. Sophisticated protection 
schemes are also costly and drive up the retail price of software. 
In light of this, Sirius chose a much simpler, but still effective, copy- 
protection scheme for Flip Out. Just try and copy it with Nibbles 
Away or another bit copier and you'll see just how effective it is! 

A Bit of Boot Tracing 

Keeping in mind the three things we must figure out to deprotect 
a single-load game, the first thing I generally do is to find what 
memory is required to run the program. To do this we can flip 
through memory (remember that shape tables, etc. don't disassemble 
into meaningful code), or we can trace the boot and see where the 
program gets loaded to. I prefer to trace the boot when it is fairly 
simple, which it is on Flip Out. 

So, boot up normal DOS 3.3 (so we can save a piece of code 
for later examination, if you wish) and enter the Monitor with: 

CALL —151 

Now we must copy the code in the disk controller ROM down to 
RAM so we can modify it to our liking. Do this by typing: 

8600<C600.C6FFM 

from the Monitor. Now we have the disk controller ROM code 
where we can modify it, and start to trace the boot. 

If you did not know already, the disk controller ROM reads track 
zero, sector zero into memory from $800 to $8FF. Then it JMPs 
to $801 and starts executing the code (which continues by loading 
in a little more code, which then loads in more code, which 
then well, you get the idea). 

At the end of the code at $8600 we see a JMP $0801 . We must 
change this to JMP $FF59, which will exit us in the Monitor after 
it is done loading track zero, sector zero into $8000 to $8FF. Put 
Flip Out in drive one and type: 

86F9:59 FF N 860OG 

The drive will recalibrate and, a second later, beep into the Monitor 
just like we told it. To turn OFF the drive motor, type: 

C0E8 

from the Monitor prompt. If you want to, you can save this hunk 
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of code to your normal DOS 3.3 disk with: 
BSAVE BOOT0,A$800,L$100 

(since this process did not disturb DOS which lives from $9600 to 
$BFFF). Now type: 

801L 



to flip through the code just loaded. Here's what you should find: 


801- 


A5 2B 


LDA $2B 




803- 


AA 


TAX 




804- 


85 FB 


STA $FB 




806- 


4A 


LSR 




807- 


4A 


LSR 




808- 


4A 


LSR 




809- 


4A 


LSR 




80A- 


09 C0 


ORA #$C0 




80C- 


8D 00 30 


STA $3000 




80F- 


A0 00 


LDY #$00 
STY $00 




811- 


84 00 




813- 


A9O0 


LDA #$D0 




815- 


85 01 


STA $01 


Put the 


817- 


A2 30 


LDX #$30 


code from 


819- 


AD 81 C0 


LDA $C081 


ROM into 


81C- 


AD 81 C0 


LDA $C081 


the slot 


81F- 


B100 


LDA($00),Y 


zero RAM 


821- 


9100 


STA ($00), Y 


card. 


823- 


C8 


INY 




824- 


D0F9 


BNE $08 IF 




826- 


E6 01 


INC $01 




828- 


CA 


DEX 




829- 


D0 F4 


BNE $08 IF 
LDX $FB 




82B- 


A6FB 


Load code 


82D- 


84 F7 


STY $F7 


into RAM 


82F- 


A9 04 


LDA #$04 


starting 


831- 


85 F8 


STA $F8 


at page 


833- 


85 FA 


STA $FA 


$04 


835- 


BD 8C C0 


LDA SC08C X 




838- 


10 FB 


BPL $0835 




83A- 


C9AD 


CMP #$AD 


Look for 


83C- 


D0F7 


BNE $0835 


a data 


83E- 


BD 8C C0 


LDA$C08C,X 


field 


841- 


10 FB 


BPL $083E 


epi logue 


843- 


C9DA 


CMP #$DA 


of AD, 


845- 


D0F3 


BNE $083A 


DA, DD 


847- 


BD 8C C0 


LDA$C08C,X 




84A- 


10 FB 


BPL $0847 




84C- 


C9DD 


CMP #$DD 




84E- 


D0EA 


BNE $083A 




88A- 


4C 29 04 


ui i^ f vUwn 

JMP $0429 


JMP B00T2 
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This code loads in the final loader B00T2 over the text screen 
memory ($400 to $7FF) and JMPs to $429. Now we need to examine 
B00T2 (the game loader) to see where it actually loads in the game. 

You might notice that this is slightly diffic ult sin ce B00T2 gets 
loaded over the text page, and when we hit |Reset| this memory 
pretty much hits the bit-bucket. But B00T1 (the code which we are 
now looking at in $801— $88 C) can be changed to load B00T2 
somewhere else and gracefully Ikeseti into Monitor. To do this we 
can change the load byte from page $04 to page $14, and change 
the JMP $429 to jump into the Monitor. Then we can examine the 
BOOT 2 loader. To do this, from the Monitor, enter: 

830:14 N 88B:59 FF 

The next thing we must change is the disk controller ROM code 
at $8600. We need it to execute, but not write over, the modified 
code at $801. To do this, we can tell it to load track zero sector 
zero at $6000 (instead of $800) and jump to our modified code at 
$801 . Of course our code will load B00T2 into $ 1400 so we can look 
at it. If you are, go back and don't return until you understand what 
is going on. 

OK, put Flip Out in drive one and type: 

8659:60 N 86F9:01 08 N 8600G 

The drive will recalibrate and boot zero will read track zero, sector 
zero into $6000 (thus, not overwriting our code at $801). It will 
then jump to $801 (B00T1) and load B00T2 into $1400 to $17FF. 
Unfortunately, it will keep reading BOOT 2 into $1400 to $17FF 
because we haven't changed enough code. So, after a few seconds, 

hit fRESETl . 

Now if you want to, you can put your normal DOS 3.3 disk in 
a drive and save B00T2 with BSAVE BOOT2,A$1400,L$4M. 

Next type 1429L and examine B00T2. You will notice that 
memory from $800 to $BFF gets wiped clean and that a reset error 
routine gets moved to $8F00— $8F80. This is a good indication that 
Flip Out lives from $C00 to $8F80! I'll let you sort through the 
B00T2 code to find out for sure, or you can take my word for it. 

The last tidbit of information that the B00T2 loader reveals is the 
starting location of Flip Out. Look at the code at $17CC— $17E4 
and you'll see how it wipes out memory from $800 to $BFF and 
then JMPs to $7800 to start the game. 

Now we have filled requirements one and two. All that is left 
is to save the memory from $C00 to $8F80 on a normal DOS 3.3 
disk. This is easy since a 48K slave disk does not destroy memory 
from $900 to $96FF. So just boot Flip Out and, when the drive 
stops, I reset] into the Monitor. Now boot your 48K slave disk and 
save Flip Out to disk! In cook-book fashion, here are the steps 
necessary to get a BRUNable version of Flip Out. 
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The Steps 

I Q| Turn your Apple OFF and remove your RAM card. 

I * I Boot Flip Out th en aft er the drive stops and Flip Out is 
l oaded into memory, hit (resetI to enter the Monitor. 

I 2| Boot a 48K slave disk: 

PR#6 

I 3 I Enter the Monitor by typing: 
CALL-151 

I 4 I So that the program will execute when BRUN, enter some 
code which JMP's to $7800 to start up the game: 

BFD.-4C 00 78 

I 5| BSAVE Flip Out by typing: 
A964:FF 
BSAVE FLIP-OUT,A$BFD,L$8383 

If you want the title page displayed, you will also have to perform 
the following steps: 

6j Reboot the Flip Out disk and [reset] into the Monitor when 



you see the title page. 

JJ Boot your 48K slave disk and BSAVE the picture by typing: 



PR#6 

BSAVE PIC,A$2000,L$1FFB 



jO BLOAD the Flip Out file and the picture file: 



BLOAD FLIP-OUT 
BLOAD PIC,A$2000 



Jy Enter the Monitor and type in the following code which 



will display hi-res page 1 and wait for a key to be pressed before 
it JMP's to the start of the game: 

CALL -151 

BE0:AD 10 C0 AD 50 CO AD 54 
BE8:C0 AD 57 CO AD 52 CO AD 
BF0:00 CO 10 FB 4C 00 78 



Jj[] BSAVE the file by typing: 
A964:FF 
BSAVE FLIP-OUT,A$BE0,L$83A0 



S 
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Hi-Res Computer Golf II 



Avante-Garde Creations 



I Using Super IOB to Copy Hi-Res Computer Golf II | 

byJeffRivett 
(Hardcore COMPUTIST # 12, page 6) 




Requirements: 

Apple ][ Plus or equivalent 

Super IOB and the swap controller 

Two blank disks 



Using the following method will help you to remove the copy 
protection from a lot of older software. Although simple, it's a great 
solution when your program is constantly accessing the disk and 
the DOS is reasonably close to DOS 3.3. It's well worth trying in 
many cases, because it is so easy. 

How it works 

First the original disk is booted to get the copy-protected DOS 
into the machine. This is the only tricky part because you have to 
have some means of stopping the execution of the program so that 
the Apple's Monitor can be entered. In Avant-Garde's Golf II, the 
Reset vector is set to re-boot the disk. However, if you lift the drive 
door prior to hitting I reset | twice, the disk drive will shut OFF and 
the protected DOS will still be in memory. The RWTS (Read/Write 
Tracks & Sectors) of the protected DOS can then be moved to a 
safe location prior to booting up with a normal DOS disk. The 
protected RWTS can then be saved and utilized by Super IOB, with 
the swap controller installed, to read the protected disk. For Golf, 
you only have to leave the disk drive door open to capture the 
RWTS, but for most other programs you will need an old-style 
monitor F8 ROM or one of the Non-Maskable Interrupt (NMI) copy 
cards to do the trick. 

When Super IOB has the swap controller installed, it will load 
in a protected disk's RWTS at $1900-$2100. When it comes time 
to read the protected disk, this RWTS is moved into $B800— $BFFF. 
For writing, the normal RWTS is moved back into $B800-$BFFF. 
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In other words, the disk is deprotected by reading it with a protected 
RWTS and writing the copy with a standard RWTS. 

| T| Boot the Golf II disk and when the DO YOU WANT TO 
SEE THE INTRO? prompt appears, open the disk drive door and 
hit [reset! . Hit [reset] a second time to turn OFF the drive. The 
Golf II DOS will still be in memory. 

rT| Enter the Monitor and move the Golf II RWTS to $1900: 

CALL -151 
19OO<B80O.BFFFM 

| 3| Boot up with a slave DOS 3.3 disk which has a small or 
null HELLO program: 
C600G 

| 4| Insert the disk which has Super IOB on it and BSAVE the 
Golf RWTS: 

BSAVE GOLF.RWTS,A$190©,L$8<»© 

| 5J Load in the Super IOB program: 
LOAD SUPER IOB 

| 6| Type in or EXEC in the swap controller and make sure that 
the file BLOADed in line 10010 is called GOLF. RWTS): 
| 7| Run Super IOB and copy both sides of the Golf disk. The 
Golf DOS should NOT be copied. 

Golf II has a strange bug that can be fixed by adding a line to 
the Applesoft file called SWING. PRACTICE. FP. To fix this bug, 
LOAD the file and add this line: 
2 POKE 16611 ,1 

If you use the technique I have just outlined on another disk and 
it seems to work (except for the fact that the copied program will 
not run), you may be able to figure out what is going on by tracing 
the now readily accessible code and making modifications where 
necessary. This is something that cannot be taught. Sometimes the 
modifications will be quite simple, like adding a POKE statement 
to an Applesoft program or omitting portions of an Applesoft or 
machine language file. 

If you happen to have a Replay II card, you can make a copy 
of the program at the title page and another copy with normal DOS 
3.3 in the machine. You can then use the 'Compare' option on the 
Replay II utility disk to compare the copy-protected DOS with 
normal DOS 3.3. This is often very helpful in making patches that 
allow the new copy to run properly. 



i 
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Knoware 

Knoware, Inc. 

Softkey for Knoware 

by Doni G. Grande 
(Hardcore COMPUTIST # 14, page 6) 




Requirements: 

Apple ][ P lus w ith 64K RAM 

A way to |reset[ into the Monitor 

COPYA 

A sector editor 

Three blank disks 



Knoware is a very interesting game - simulation - educational 
program. The player starts out in a company working in the 
mailroom. The objective is to become chairman of the board. In 
order to accomplish this, you must use computer application 
programs for spreadsheet analysis, wordprocessing, and database 
use. All of the application programs may be used on their own, so 
once you make chairman of the board, you have learned how to 
use all of the programs! 

First of all, only the first (out of three) disk is protected. Secondly, 
Knoware checks the disk in the drive to be sure it is an original. 
However, it is fairly easy to short-circuit this check. The procedure 
to make a COPYAable version of Knoware is as follows: 

I 1 I Use COPYA and duplicate the original Disk #1. 

I 2 I Use a sector editor to make the following changes: 

Track Sector Byte From To 

$17 
$17 
$17 



$01 


$14 


$01 


$15 


$01 


$16 



$4C 


$A9 


$8D 


$00 


$20 


$EA 



This changes the file ONESHOT. 0W(A$2000,L$FBA), and prevent 
a call to a protection-check subroutine by replacing the JSR $208D 
with a LDA #00 and a NOP, which tricks the program into thinking 
there is an original disk in the drive. 
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I 3 I Now use COPY A to copy Disks 2 and 3, and you have the 
complete set. 

One modification that you might want to make is to allow a fast 
DOS to be used. There is a check in the file ONESHOT. OVR io see 
if the I/O hooks have been changed. Some fast DOS versions do 
change these. The following change will defeat this check: 



Track 


Sector 


Byte 
$01 


From 


To 


$10 


$0F 


$D0 


$EA 


$10 


$0F 


$02 


$0C 


$EA 


$10 


$0F 


$05 


$C9 


$A9 


$10 


$0F 


$06 


$9E 


$00 



An Alternate Procedure 

This procedure may not work on all versions of Knoware. This 
is an alternate way to unlock Knoware. 

I 1 1 Use COPY A and copy the original disk #1. 



I 2 1 Insert the copy of disk #1 into drive 1 and type the 
following: 

CALL -151 

BLOAD ONESHOT.OVR 

2©1©:A9 00 EA 

BSAVE ONESHOT.OVR, A$2000,L$FBA 

BLOAD BOOTKW 

9FD:EA EA 

A01:A9 00 

BSAVE BOOTKW,A$800,L$852 



~2\ use COPY A to make copies of disks #2 and #3. 



S 
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Laf Pak 

Sierra On Line 

Normalizing Laf Pack 

by Ferrel Wheeler 
(Hardcore COMPUTIST #13, page 9) 




Requirements: 

Apple ][ 

1 blank disk 

1 initialized disk (preferably with a fast DOS) 

COPYA from the DOS 3.3 System Master 

Any sector editor program such as DiskEdit or ZAP 



Laf Pak is a collection of four small but very enjoyable and 
playable games. Number one in the pak is Creepy Corridors, a 
maze type game that is by far the most fun, especially with the 
hilarious sound effects. Apple Zap is a four way shoot'em up game. 
Space Race is a game in which you race an opponent or the computer 
through a multitude of little bird-like aliens. Finally, Mine Sweep 
is an almost impossible game in which you try to clear a mine field 
in a given amount of time. 

In trying to backup this disk, I first noted that the publisher was 
Sierra On-Line. Many companies use a standard copy-protection 
method on most of their products and I figured Laf Pak was 
protected, like most of their other products, with a nibble count on 
track 0. This turned out to be true. A check is made at the beginning 
of each of the individual games. It is always helpful to know of a 
company's past methods of copy-protection when trying to unlock 
any of their software. For example, the original Zork softkey in The 
Book Of Softkeys Volume I, page 156, still works for all of 
Infocom's adventures, almost all of Automated Simulations software 
can be DEMUFF I /V-ed, and the boot-code-trace for Hard Hat Mack in 
The Book Of Softkeys Volume I, page 101, can be used on 
some other Electronic Arts games. 

To disable the the disk checking routines for Laf Pak, I simply 
had to find the first JSR (a subroutine call) at the beginning of each 
of the games and replace it with NOP's (no operation). For example: 
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Creepy Corridors starts at $800 and at $808 there is a JSR $1B33 
which is the call to the disk verification scheme. In machine code 
this code is 20 33 IB, so I simply used a disk searcher to find these 
three bytes on the LafPak disk. With LafPak this can easily be 
done since the disk is written in standard DOS 3.3 format. I found 
similar calls in the other three games and recorded the locations 
of all the bytes that needed to be changed to EA (op code for NOP). 
So, to back up LafPak simply use COPY A to copy the entire disk 
(always write-protect your original first!). Then use a sector editing 
program to make the following changes to the backup. 

Track: 444 14 14 14 9 9 9CCC 

Sector: 000000222777 

Byte: 8 9 A D E F F 10 11 F 10 11 

From: 20 33 IB 20 0D 72 20 7C 13 20 33 17 

To: EA EA EA EA EA EA EA EA EA EA EA EA 

You now have a completely unprotected backup of LafPak which 
can be copied with any standard copier. If this is all you want you 
can stop here, but I wasn't satisfied because using a full disk for 
a backup of a game is usually a waste of disk space. I wanted each 
game normalized, i.e. BRUNable and FIDable. I also wanted the Lof 
Pak machine to work as normal from a standard binary file. 

Normalizing each game will illustrate the method of using memory 
moves to compact binary files and will also illustrate how to pass 
commands to DOS from within machine language programs. When 
we are done there will be plenty of room on the disk for any other 
games you want to store with Laf Pak. 

The first thing to do, while the sector editor is still handy, is to 
change the name of the file tha t is ru n on boot up. It is named LAF 
PAK, but is preceded with seven ISHl s. Since we will want to load 
this file in from hand, we need to get rid of the control characters. 
Use your sector editor to read in track $11, sector $F and, beginning 
with byte $0E, ty pe in LP ($CC $D0) and enough spaces ($A0) 
to cover the seven BHl s ($88) and the ASCII codes for LAFPAK. 
Write this sector back to disk. Now when you CATALOG your 
backup LafPak disk, the first file should be a 4-sector binary file 
named LP. 

Before we actually begin you need to boot your initialized disk, 
type in the following code at $800 and save it as PAGE MOVER. 

CALL -151 

800:A2 00 A0 FF 84 3E C8 84 

808:3C 84 42 BD 25 08 85 43 

810:E8 BD 25 08 85 3D E8 BD 

818:25 08 85 3F E8 20 2C FE 

820:E0 06 DO DE 60 00 00 00 
BSAVE PAGE MOVER,A$800,L$28 
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In Assembly language this looks like: 



0800- 


A2 00 


LDX #$00 


0802- 


A0 FF 


LDY #$FF 


0804- 


84 3E 


STY $3E 


0806- 


C8 


INY 


0807- 


84 3C 


STY $3C 


0809- 


84 42 


STY $42 


080B- 


BD 25 08 


LDA$0825,X 


080E- 


85 43 


STA $43 


0810- 


E8 


INX 


0811- 


BD 25 08 


LDA$0825,X 


0814- 


85 3D 


STA $3D 


0816- 


E8 


INX 


0817- 


BD 25 08 


LDA$0825,X 


081A- 


85 3F 


STA $3F 


081C- 


E8 


INX 


081D- 


20 2C FE 


JSR $FE2C 


0820- 


E0 06 


CPX #$06 


0822- 


D0 DE 


BNE $0802 


0824- 


60 


RTS 



This routine uses the Monitor's move subroutine at $FE2C (note 
the Y-register must be on entry) to perform block page moves 
where a page is considered to be 256 bytes starting at an address 
of the form XXIX), i.e. the low order byte is 00. If $800 is considered 
the first byte of the routine, then the 'table' begins at byte $825. 
A table entry is 3 bytes designating which pages to move and where. 
For example, if I wanted the Monitor to perform the following move: 
1100<2200.33FFM, the table entry would be: 825:11 22 33 . You 
can have as many as 85 table entries but you must set byte $21 to 
3 times the number of memory moves to be performed (in other 
words, set it to the total number of bytes in the table). As long as 
you load this code on a page boundary, then bytes $0D, $13 and 
$19 are the only bytes you have to change to relocate the code. These 
locations should hold the hi-byte of the page to which you relocate 
the code. If you are using an assembler, you can make all of these 
changes in the source code by simply changing the origin and the 
contents of the table. 

Our goal is to have 5 binary files, the 4 games and the menu or 
FUN MACHINE file which we will name LAFPAK. We will change the 
menu file to simply BRUN the selected game instead of loading it 
in directly from disk as it does on the original disk. 

On the original, when you are playing any of the games and you 
hit [HD, the game will BRUN a file called BOOT. OBJ which in turn 
loads in the menu. We will simply change each game to BRUN LAF 
PAK instead of BOOT. OBJ. 

The first thing we need to do is to save each of the games. I will 
illustrate all of the steps in detail for the first game, Creepy 
Corridors. 
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Creepy Corridors 



I 1 I Boot the initialized disk on which you saved PAGE MOVER 
(preferably a disk with a fast DOS on it). Insert your LafPak backup, 
load the boot-up file LP and get into the Monitor. 

BLOAD LP 
CALL -151 



2| LP starts at $1400 where it first reads in the I/O routine at 



$220. Whatever the accumulator is holding on entry to $220 
determines which game (or the menu) is to be loaded. A means 
Creepy Corridors and a 4 means the menu. At $1438, the 
accumulator is loaded with 4 (indicating that the menu is to be 
loaded) and a jump is made to $220. We can change this JMP 
instruction ($4C) to a $60 (RTS) so that the I/O routine will be 
loaded, but not executed. To do this type: 

143A:60 N 14Q0G 

Upon examination of the I/O routine at $220, you can see that each 
game and the menu are loaded in three seperate chunks. The 
destination addresses and the number of pages to be loaded in each 
chunk are given in the tables at $2FA and $2EB, respectively. With 
this information and a little bit of hexadecimal addition, the following 
addresses can be determined: 

Creepy Corridors: $800— 1CFF $4000-5FFF $7000-94FF 

Space Race: $800— 15FF S6000-6EFF S8000-93FF 

Mine Sweep: $800-lEFF $4000-5FFF S8700-94FF 

Apple Zap: $4000-5FFF S6000-7EFF $7D00-8CFF 

Fun Machine: S800-EFF $4000-60FF $9000-94FF 



3| We are going to let the LafPak routine read in each game, 



then stop it before it jumps to the beginning of each game. This 
is done by changing the JMP at $28 A to a RTS: 

28A:60 

I 4 I Now we just need to load the accumulator with for Creepy 
Corridors and jump to $220. This is done by changing the code at 
$1438 so that the accumulator will contain a when the I/O routine 
executes: 

1439:00 4C N 1438G 

I 5| The code is now in, so let's change BOOT. OBJ to LAFPAK 
so the menu will be loaded if I esc | is pressed: 

14C5:CC CI C6 A0 DO CI CB A0 



40 The Book Of Softkeys Volume III 



~6] We next can compact the 3 chunks of code into one 



contiguous block with the following memory moves: 

1D00<4000.5FFFM 
3DOO<7O0O.94FFM 

| 7| Since PAGEMOVER will live at the end of the block (at $6200), 
we need to call this subroutine before the main program is run. So 
we put a JSR $6200 at the beginning of the code: 

7FD:20 00 62 

| 8 | Now insert the initialized disk with PAGE MOVER on it, load 
it in and change it so that it will run at this new location: 

BLOAD PAGE MOVER,A$6200 
620D:62 N 6213:62 N 6219:62 

| 9 | Note that the inverse of the moves made in step 6 are 
7000<3D00.61FFM & 4000<1D00.3CFFM, which give us the table 
entries for the move code: 

6225:70 3D 61 40 ID 3C 

I 10 | Save the game: 

BSAVE CREEPY CORRIDORS,A$7FD,L$5A80 

You now have a completely normalized Creepy Corridors game 
which can be BRUN to your heart's content. Before going on, you 
should first test it by clearing memory and then running it from disk. 
An easy way to clear memory without turning your Apple OFF is 
by typing: 

800:00 N 80<800.9500M 

If something goes wrong, BLOAD the file and check the code at 
$6200 for any typos. 

In case you got lost along the way, here are the basic steps we 
performed in order to capture a compacted version of Creepy 
Corridors. 

| A | Load the game into memory. 

| B | Compact the game code into one contiguous area of 
memory. 

| C | Append the PAGE MOVER routine onto the end of the 
compacted code and fix it so it will run properly there. 

| D | Put the proper values into the PAGEMOVER table. 

| E | BSAVE the game after inserting some code at $7FD that 
calls the PAGEMOVER routine before the game tries to execute. 

When the game is BRUN, the PAGEMOVER routine de-compacts 
the code. 
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For the other three games, the steps are very similar to those we 
performed for Creepy Corridors. 



Space Race 



| 1 1 — | 3 | see Creepy Corridors 

| 4 | The accumulator should hold a 1 so that Space Race will 
be loaded: 

1439:01 4C N 1438G 



_§J Change BOOT. OBJ to LAF-PAK: 



962:8D 84 C2 D2 D5 CE A© CC 
96A:C1 C6 A0 DO CI CB 



~6~1 Compact the game's code with the following memory 



moves: 



1600<6000.6EFFM 
2500<800Q.93FFM 



T1 Insert the code which calls the PAGE MOVER routine: 



7FD:20 00 39 



| 8 | Insert the initialized disk, load the move routine and relocate 
it: 

BLOAD PAGE MOVER,A$3900 
390D:39 N 3913:39 N 3919:39 

I 9| Put in the table for PAGE MOVER: 
3925:80 25 38 60 16 24 

1 10 1 Save the game: 

BSAVE SPACE RACE,A$7FD,L$3180 



Mine Sweep 



| 1 | — 1 3 | see Creepy Corridors. 

| 4 1 The accumulator should hold a 2 so that Mine Sweep is 
loaded in: 

1439:02 4C N 1438G 

I 5| Change BOOT. OBJ to LAF PAK: 
96D:CC CI C6 A0 DO CI CB A0 
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6| Compact the code with the following memory moves: 



290©<800.1EFFM 
6000<8700.94FFM 

I 7 I Insert some code which calls the PAGE MOVER routine 
and jumps to the start of the game: 

28FA:20 00 6E 4C 00 08 

I 8 | Insert the initialized disk, load PAGE MOVER and relocate 
it: 

BLOAD PAGE MOVER,A$6E00 
6E0D:6E N 6E13:6E N 6E19:6E 



9| Install the memory move table at $6E25: 



6E25:87 60 6D 08 29 3F 

10 | Finally, save the game: 
BSAVE MINE SWEEP,A$28FA,L$4580 



Apple Zap 



I 1 | — | 3 | see Creepy Corridors. 

I 4 | The accumulator should hold a 3 so that Apple Zap is 
loaded: 

1439:03 4C N 1438G 



jf] Change BOOT. OBJ to LAF PAK: 



63BD:CC CI C6 A0 D0 CI CB A0 

I 6 1 No moves are necessary since the code is already 
contiguous. 

I 7 | Insert the code which jumps to the beginning of the game: 

3FFD:4C 00 60 
PAGE MOVER is not used with this game,so... 
I 8 I Insert the initialized disk and save the program: 

BSAVE APPLE ZAP,A$3FFD,L$4D03 

Before we move on to the menu program, I would like to note 
that Mine Sweep, Apple Zap and the menu all store standard hi-res 
pictures at $4000— $5FFF. Those of you who are ambitious and 
wish to save about 50 more disk sectors can pack these pictures and 
insert the unpacking routine with them to make these files even more 
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compact. If you just want to be able to BRUN each of the games 
and do not care about the 'Fun Machine' menu, then you have 
completed this task and you can stop here. But if you would like 
to use the menu program on occasion, then read on. 



The Fun Machine 



Capturing the menu program is similar to the above except that 
we must intercept the jump to the I/O routine to load in a game 
and replace it with our own BRUN routine. At $862, the number 
of the game that is chosen is utilized to get an address from an 
address table at $D62. This address is stored in $00. $01 which is 
used as a vector to the correct entry into the I/O routine. We will 
place our own address table at $D62 so that $00.$01 becomes a 
pointer to the correct game that should be run. We will then print 
out BRUN with the code: 



86C- 


LDY #$06 


86E- 


LDA$0879,Y 


871- 


JSR $FDED 


874- 


DEY 


875- 


BNE $086E 


877- 


JMP $0E30 


87A- 


N U R B ISDI 


At $E30 


we will place a routine that uses the address in $00. $01 


to print 


the name of the game. The code to do this looks like: 


E30- 


LOY #$00 


E32- 


LDA ($00), Y 


E34- 


JSR $FDED 


E37- 


INY 


E38- 


BNE $0E32 



The result is that DOS will BRUN the desired game from the Fun 
Machine menu. All of the steps are summarized as follows: 

I 1 | — | 3 | see Creepy Corridors. 

I 4 | The accumulator should hold a 4 so that the menu is loaded: 



1439:04 4C N 1438G 

I 5A| Type in the code below which will print out the DOS 
command BRUN (preceded by a |beturn| and a (SB)): 

86C:A0 06 B9 79 08 20 ED FD 88 DO 
876:F7 4C 30 0E CE D5 D2 C2 84 8D 



I 5B| Type in this code which will print out the name of the game 
to be run: 

E30:A0 00 Bl 00 20 ED FD C8 DO F8 



44 The Book Of Softkeys Volume III 



I 5C| Next, install in memory a table which contains the names 
of the four games (each followed by |return| ): 

E40:C3 D2 C5 C5 DO D9 AO C3 
E48:CF D2 D2 C9 C4 CF D2 D3 
E50:8D CI DO DO CC C5 AO DA 
E58:C1 DO 8D D3 DO CI C3 C5 
E60:A0 D2 CI C3 C5 8D CD C9 
E68:CE C5 AO D3 D7 C5 C5 DO 
E70:8D 

| 5DJ Now, put the addresses of the names in the address table: 
D62:40 OE 51 OE 5B OE 66 OE 



| 6J Compact the menu code with the following memory moves: 

F00<4000.60FFM 
3000<900e.94FFM 

| 7 | Insert the code which calls the PAGE MOVER routine: 
7FD:20 00 OE 

| 8l Insert the initialized disk, load the PAGE MOVER and 
relocate it: 

BLOAD PAGE MOVER,A$E00 
E0D:0E N E13:0E N E19:0E 



~9l Install the PAGE MOVER table: 



E25:40 OF 2F 90 30 34 

| 10 | Of course, we also have to save the compacted code for 
the menu: 

BSAVE LAF PAK,A$7FD,L$2D03 

Now you have a completely normalized LafPak that you can put 
on any one of your game disks. I hope the techniques I have 
illustrated will come handy when you are trying to normalize other 
copy-protected games. 



£ 
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Learning With Leeper 

Sierra On-Line Inc. 

Softkey For Learning With Leeper 

by Marco Hunter 
(Hardcore COMPUTIST # 13, page 8) 



Requirements: 

48K Apple ][ or compatible 

One disk drive and DOS 3.3 

COPY A from the DOS 3.3 System Master 

A sector editor 

A blank disk 

The three things you can count on in this life are death, taxes, and 
Sierra On-Line's nibble counts. With this in mind, I tackled Learning 
with Leeper, a recent educational release from Sierra. As usual, the 
disk is normal DOS 3.3, easily COPYA-able but it will not work 
correctly). I discovered that the nibble count checks track $0. This 
was also standard Sierra. 

Tracks $00, $03, and $1F are popular tracks for Sierra On-Line 
nibble counts. I decided to go all-out and remove the nibble count 
entirely. But when I finally found the nibble count routine, I decided 
that the easiest thing to do was simply avoid jumping into it, rather 
than trying to modify it. Let's deprotect Learning With Leeper. 

I Li Boot the 3.3 System Master as usual (PR#6 I return | ). 



_2j Use COPY A to make a backup of Learning with Leeper. 



I 3] Use your sector editor to modify these bytes on the new 

copy eliminating the nibble count routine: 

Track Sector Byte From To 



$03 


$0F 


$2C 


$20 


$EA 


$03 


$0F 


$2D 


$00 


$EA 


$03 


$0F 


$2E 


$12 


$EA 
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Lion's Share 

Davka Corporation 

Softkey For Lion's Share 

by Jan Eugenides 
(Hardcore COMPUTIST # 12, page 14) 




Requirements: 

Apple ][ Plus or equivalent 
One blank disk 
Super IOB 

The Lion's Share is a pretty good adventure, with some nice 
graphics. I enjoyed it, but even more, I enjoyed figuring out the 
protection scheme. It was much more of a challenge than getting 
the sword out of the snake pit! First, for those of you who just want 
to backup the game, here's the softkey: 



Tl Boot your DOS 3.3 System Master and clear any program 



in memory. 

PR#6 
FP 

| 2 | Enter the Monitor and make some modifications to DOS 

CALL -151 

BA69:60 

BA6A<BA69.BA91M 

BCDF:60 

BCE0<BCDF.BCF8M 

| 3 | Put in a blank disk and put this modified DOS on it: 
INIT A 

| 4 I Turn the disk over and put this DOS on the back side, too. 
You will have to cut a notch in the side of the disk to allow you 
to use the back: 

INIT A 
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I 5 I Put side one of The Lion 's Share in the drive, start the drive 
with the drive door open then press the I break I key: 

PR#6 

feci 



6 I Close the door, wait for the break message and then clear 



the program in memory: 
FP 

I 7 I Enter the Monitor and move the RWTS to a safe place for 
booting: 

CALL -151 
2O00<B800.BFFFM 

I 8j Put your Super IOB disk (or some other disk with a very 

short Hello program) in the drive, boot it and save the RWTS:. 

6 (BPl 

BSAVE RWTS.LIONS,A$2000,L$800 

I 9j Load Super IOB, type in the controller at the end of this 

article and then RUN Super IOB. 

I 10 I Copy both sides of the original Lion 's Share disk to both 
sides of the disks you formatted at the start of the procedure. 

I 111 You're done! Boot your copy and enjoy! 

Beneath The Softkey 

When I booted the game, I noticed a prompt at the bottom of the 
screen. This usually means that some form of DOS is being used. 
Going on this assumption, I decided to have a look at tracks $0—2 
of the disk, to see if I could ferret out the system. 

No dice. I couldn't read the disk at all, nor would it CATALOG. 
Using a Hardcore COMPUTIST program called Diskview 1.1 A, I 
managed to peek at the raw nibble dump, and it was definitely 
nonstandard. So, I resorted to a little trickery. 

First I removed the top 8 RAM chips from my machine. These 
are the ones nearest to the left rear of the Apple, inside the white 
box labeled "RAM." (Scary, isn't it?) Then I booted my System 
Master. (It has to be the master, and not a slave disk.) This had 
the effect of loading DOS 16K lower in memory than usual. (The 
higher memory was in my left hand!) 

You see, the master disk checks to see how much memory is 
available and loads DOS in at the top of this available memory. A 
slave disk, on the other hand, always loads DOS into the same 
location, namely the location it was in when the slave was made. 
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I then initialized a slave diskette, using my now 32K Apple. I'll 
call this the 32K slave. Next, I replaced the RAM chips, and booted 
The Lion's Share. 

Pressing I reset | causes the disk to re-boot, since the reset vector 
has been changed, so I took advantage of this fact. I now removed 
the game disk, and put in my 32K slave. Pressing Ireset) caused 
the disk to boot, and regular old DOS 3.3 was loaded in at its 32K 
location. Because of this, Davka's DOS was still intact in the upper 
memory! Now it was a simple matter to save this Davka DOS with 
an address of $9D00 and a length of $22FF. 

I now had Davka DOS on my disk as a binary file. You may be 
able to use this method on other protected disks. Just keep the 32K 
slave around for future use. 

The next step was to boot up the System Master again, thus placing 
DOS 3.3 back in its normal location at $9D00. I now BLOADed 
Davka DOS at $2D00. (It can be anywhere, really, as long as it 
doesn't overwrite DOS 3.3) 

Using the Monitor VERIFY command I made a print-out of all 
the locations which were different between the two DOSs. This is 
a nifty command which compares two ranges in memory and tells 
you if they are the same or not, and if not, what the differences 
are. Check the Apple reference manual for more information. 

In this case, the command was 2D00<9D00.BFFFV. (Turn on 
your printer first with a PR#1, and set it to skip the perforations 
if you can.) This gave me a complete list of all the changes! 

With my trusty copy of Beneath Apple DOS in hand, I proceeded 
to analyze the changes. I saw that the spelling of the SAVE and 
INIT commands had been altered but the rest of the commands were 
the same. 

Most importantly, I discovered that both the read and write 
routines had been changed, as well as their translate tables. No 
wonder I couldn't read the disk; it was scrambled! 

Then it was no problem. I just patched the DOS 3.3 read routine 
to match that used by Davka. Sure enough, I could now CATALOG 
the game disk. Of course, the DOS 3.3 write routine was still 
standard, so all I had to do was FID all the files over to a normal 
disk, right? Not quite, but close! 

Once I had copied all the files to a normal disk, I booted it and 
tried to run the game. It worked perfectly until I tried the SAVE 
GAME option, and then it bombed. 

The Apple obligingly informed me that it had stopped at $BA78. 
Hmmm. Isn't that unused space in DOS? Yep, it sure is. But Davka 
put a routine there which changed the address and data markers back 
to standard, so that their game could read and write to standard disks. 
(Pretty sneaky, huh?) 

I replaced this whole section with 60's (RTS), and also the section 
at $BCDF, which was part of the same routine. 
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After I had initially deprotected The Lion 's Share, I discovered 
something which made the overall softkey procedure a little easier. 
What I found was that The Lion's Share boot program would 
BREAK (stop execution) if IBCI was typed as the disk booted. After 
the BREAK occurred, typing: 

FP 

CALL -151 

2O00<B8QQ.BFFFM 

allowed me to enter the Monitor and move the Lion 's Share RWTS 
to a safe location. After booting with a slave disk, I just BSAVEd 
the RWTS. 

To automate the copy process a little, I modified the SWAP 
Controller of Super IOB so that it would utilize the Lion 's Share 
RWTS. All these changes were incorporated into the softkey 
procedure which I detailed at the beginning of this article. 

Ta Daaa! 

I haved played the whole game through on my copy, and it works 
perfectly. It works exactly like the original, only now I don't have 
to worry about damaging it because I can make backups. Also, I 
can peek at the files if I feel too frustrated, although this game isn't 
that hard. Not like Zork III, anyway! I can also check out the 
program to see how it works and learn some more. That's what 
it's all about, right? 



controller 

1000 REM SWAP CONTROLLER (LIONS SHARE ) 

1010 TK = 3 :ST = : LT = 35 :CD = WR 

1020 Tl = TK : GOSUB 490 : GOSUB 360 : ONERR GOTO 550 

1030 GOSUB 430 : GOSUB 100 :ST = ST + 1 : I F ST < DOS THEN 1030 

1040 I FBF THEN 1060 

1050 ST = :TK = TK+1 : IF TK < LT THEN 1030 

1060 GOSUB 490 :TK = Tl :ST = : GOSUB 360 

1070 GOSUB 430 : GOSUB 100 :ST = ST + 1 : I F ST < DOS THEN 1070 

1080 ST = :TK = TK+1 : I F BF = AND TK < LT THEN 1070 

1090 I F TK < LT THEN 1020 

1100 HOME : PRINT "REMEMBER' TO 4 COPY 4 BOTH' SIDES" : END 

10010 PRINT CHR$ (4) "BLOAD'RWTS.LIONS,A$1900" 



ft 
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Master Type vl.7 

Lightning Software 

Master Type Softkey 

by Peter Rongays 
(Hardcore COMPUTIST #15, page 8) 




Requirements: 

48K Apple ][ Plus or equivalent, with 
Old F8-ROM or copycard 
Super IOB 
One blank disk 



Bruce Zweig's Master Type has been one of the best-selling pieces 
of software for the Apple ][ ever since it was released back in 1981 . 
The program's most unfortunate drawback is a common one: it is 
copy-protected. Since the program is undoubtedly being used in a 
fair number of schools throughout the USA and elsewhere, there 
is a corresponding demand for information on how to backup this 
disk. The reluctance of an instructor to turn over the only copy of 
a $40 program to a group of precocious eight-year-olds is entirely 
understandable. 

Luckily, as I found out, Super IOB has little difficulty in copying 
Master Type. This article will explain how to make the backup. 

Judging from the EDD III parameter list for Master Type, it 
appears to have been protected by Lock-It-Up, one of those copy- 
protection utilities that you may have seen advertised as being able 
to produce an 'uncopyable' disk (Note: The 'uncopyable' disk is 
close kin to the 'unsinkable' Titanic). Indeed, Master Type is 
protected fairly well, as evidenced by its several months stay on 
the Hardcore Most Wanted List and the difficulty of backing it 
up with a bit copier. 

Upon booting Master Type, the familiar Applesoft prompt will 
appear while the game loads, an indication that a disk can be copied 
by Super IOB with the Swap Controller installed, as long as its 
RWTS can be captured by some means. This is the case with Master 
Type, but the Super IOB copy made with the standard Swap 
Controller will not work because the text of some of the DOS 
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commands have been altered. You can verify this by booting Master 
Type, halting it with an old Monitor |reset| or NMI and then 
examiming memory from $A884 to $A908. About half of the normal 
DOS commands have been blanked out entirely and, of those that 
remain, nine are the same as with normal DOS and five have had 
their text changed: 

DOS 3.3 Command Master Type Command 



INIT 


SAVE 


DELETE 


KILLDE 


CLOSE 


CLOSE 


READ 


READ 


EXEC 


EXEC 


WRITE 


WRITE 


OPEN 


OPEN 


CATALOG 


CATNDOG 


NOMON 


NOMON 


PR# 


PR# 


IN# 


IN# 


FP 


FP 


BLOAD 


YZ123 


BRUN 


YZ23 



Because the majority of Master Type is written in Assembly 
language, it would take a bit of work to track down the location 
from which these altered DOS commands are being executed. This 
would be required if you wanted to make the program totally 
compatible with DOS 3.3. Instead of all this work, I decided to 
modify the Super IOB Swap Controller a bit so that the entire Master 
Type disk, with the exception of the sectors that contain the RWTS, 
would be copied. A Master Type disk with a hybrid DOS is thus 
created. It will be normally formatted and completely COPYAable, 
but its DOS will still use the altered commands. If you examine 
the Master Type controller listed at the end of this article you will 
see that it is the Swap Controller with lines 1010, 1060 and 10010 
modified and line 1065 added. 

One other change that must be made to the copy of the Master 
Type disk is to fill in two of the free areas in the RWTS with 
hexadecimal $60's. This is necessary because Master Type can store 
user-created lessons on normally formatted disks. On the original 
Master Type disk, this free space contains some code which modifies 
the RWTS depending upon whether the original or a data disk has 
to be read. This code won't be needed, or present, on the copy. 
Therefore, we will just replace it with a bunch of machine language 
RTS's. 

With a little more effort, I'm sure Master Type could be made 
to work with a totally normal DOS, but it probably is not worth 
the effort to do so unless you have some modifications or 
enhancements you would like to add to it. I will leave that chore 
up to the more ambitious readers. 
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Making the Copy 

l| Boot up the original Master Type disk and, after the program 



has been loaded, stop it with a Ireseti or NMI. 

I 2 I From the Monitor, move the Master Type RWTS to a 'safe' 
location: 

1900<B800.BFFFM 

I 3| Boot up a DOS 3.3 slave disk and then BSAVE the Master 
Type RWTS onto a disk which contains Super IOB: 

BSAVE RWTS. MASTER TYPE, A$1900,L$899 

I 4| Enter the Monitor and fill in two of the 'holes' in the RWTS 
with $60's (RTS's) before initializing a blank disk: 

CALL -151 

BA69:60 N BA6A<BA69.BA94M 
BCDF:60 N BCEO<BCDF.BCFEM 
INIT HELLO 

I 5 | Load Super IOB, install the controller and then make a copy 
to the disk initialized in Step 4 above. Note: Do not reformat the 
disk. 

controller 

1000 REM MASTER TYPE CONTROLLER 

1010 TK = :ST = 10 : LT = 35 :CD = WR 
1020 Tl = TK : GOSUB 490 : GOSUB 360 : ONERR GOTO 550 
1030 GOSUB 430 : GOSUB 100 :ST = ST + 1 : I F ST < DOS THEN 1030 
1040 IF BF THEN 1060 

1050 ST = :TK = TK + 1 : IF TK < LT THEN 1030 
1060 GOSUB 490 :TK = Tl :ST = : I F TK = THEN ST = 10 
1065 GOSUB 360 

1070 GOSUB 430 : GOSUB 100 :ST = ST + 1 : I F ST < DOS THEN 1070 
1080 ST = :TK = TK + 1 : IF BF = AND TK < LT THEN 1070 
1090 IFTK< LTTHEN 1020 

1100 HOME : PRINT "EVERYTHING i 0.K. A N0 i D0S A 0N 4 C0PY" : END 
10010 IF PEEK ( 6400 ) <> 162 THEN PRINT CHR$ (4 ) "BLOAD 
RWTS. MASTER' TYPE, A$1900" 



An Alternate Softkey by Harry Noel 



I don't have an F8 Monitor ROM, so I had to find another way 
to load in Master Type's RWTS. This is how you can do it: 

I 1 | Boot a normal DOS 3.3 disk and insert the Master Type 
disk. 
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2 | Enter the Monitor with: 
CALL -151 

~3\ Move BOOT0 into RAM and modify it to jump to $8801 : 
8600<C600.C6FFM 86FA:88 



4 | Place a jump into the Monitor and start the boot: 



8801 :4C 59 FF 
8600G 



5 I Stop the drive and move $800 to $8800: 



C0E8 
8800<800.8FFM 



6\ Set an indirect jump to the modified read routine: 



880E:80 



7 | Return control after reading the RWTS and start the read: 



884A:4C 59 FF 
8600G 



8| Stop the read and move the RWTS to a safe location: 



C0E8 
1900<B800.BFFFM 



9 I Boot the Super IOB disk: 



6 BP1 

10 I And type: 
BSAVE RWTS. MASTER TYPE,A$1900,L$800 

Now continue at step 4 in Mr. Rongays' article and you will have 
a COPYAable version of Master Type. 

If you want to make this disk totally DOS 3.3, you must go one 
step further. 

First, copy all the files off the broken Master Type to a normal 
DOS 3.3 disk (I used Copy II Plus v4.4C to transfer files) and get 
ready to use your sector editor (I used Tricky Dick). Find all the 
occurences of these low-byte ASCII codes: CATNDOG, KILLDE, 
SAVE,YZ123,YZ23. Change them to CATALOG, DELETE, 
INIT, BLOAD, BRUN respectively. Then find these high-byte 
ASCII codes: YZ123 and YZ23 and change these to BLOAD and 
BRUN, respectively. You now have a normal copy of Master Type. 



S 
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MatheMagic 

^^ International Software Marketing ^m 



Softkey For MatheMagic 

by Doni G. Grande 
(Hardcore COMPUTIST # 14, page 7) 




Requirements: 

Apple ][ with 48K 

COPY A from the DOS 3.3 System Master 

Super IOB 

A blank disk 

MatheMagic is a program which transforms your microcomputer 
into the ultimate calculator. With it, you can program your computer 
in the same way you would a programmable calculator. 

The program disk itself is copy-protected, but it can use and 
initialize normal data disks. This is done by altering RWTS when 
access is needed to the original disk, and then changing it back to 
normal when a data disk is accessed. The only parts of RWTS I 
found changed were the following locations: 



Location: $B991 $BCAE $BC60 
From: $DE $DE $FF 

To: $DF $DF $FE 



The first two locations are the address epilog start bytes and the 
last location is the sync mark used in the protected DOS. The only 
problem with just changing these locations to their normal values 
is that the program keeps changing them back whenever it accesses 
the program disk, generating an I/O ERROR. Also, since the 
program is a compiled basic program, it is very difficult to discover 
the location in the program at which this change is made. 

The answer to the problem is to let the program change DOS to 
access the program disk, but patch the RWTS subroutine to change 
those locations back to normal whenever it is called. 

The main entry to RWTS is at $BD00, and a JuMP to the patch 
can be made there if the original instructions at this entry point are 
duplicated in the patch. After DOS is put back to normal, the patch 
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jumps back to RWTS and all operates normally! 

The steps required to make a normal copy of MatheMagic are: 

I 1 | Boot a normal DOS disk. 

I 2 | Enter the Monitor, move an image of the normal DOS 3.3 
RWTS to $1900 and then modify it so it can be used by Super IOB 
to read the protected MatheMagic disk: 

CALL -151 

19©0<B8O0.BFFFM 

1A91: DF 

1DAE: DF 

BSAVE RWTS, A$1900, L$80Q 



3 | Run Super IOB with the Swap Controller installed to make 



a copy of MatheMagic. The Swap Controller will use the RWTS 
created in Step 2 to read the disk. 

I 4 | Type in the following short patch: 

0360:84 48 85 49 A9 DE 8D 91 
0368:B9 8D AE BC A9 FF 8D 60 
0370:BC 4C 04 BD 

This is the patch which will be executed just before RWTS is 
entered. The Monitor listing is: 

Store Y and A as RWTS would 

Fix data and address marks 



0360- 


84 48 


STY $48 


0362- 


85 49 


STA $49 


0364- 


A9DE 


LDA #$DE 


0366- 


8D 91 B9 


STA $B991 


0369- 


8D AE BC 


STA $BCAE 


036C- 


A9FF 


LDA #$FF 


036E- 


8D 60 BC 


STA $BC60 


0371- 


4C 04 BD 


JMP $BD04 



Might as we 1 1 fix the sync byte too 
Return control to the RWTS 

I 5 | Save this patch on the copy of the MatheMagic disk: 
BSAVE DOSPATCH, A$360, L$14 

I 6[ Load the file MA TH. HELLO from the copy disk and add the 
following: 

227 PRINT CHR$( 4) " BLOAD i DOSPATCH " 

228 POKE 48384, 76 :POKE 48385, 96 :POKE 
48386, 3 :POKE 48387, 234 

This places a JMP to $360 and a NOP as the first instructions in 
RWTS so that DOSPATCH is executed before every call to RWTS. 

I 7| Save MA TH. HELLO back to the copy disk: 

UNLOCK MATH.HELLO 
SAVE MATH.HELLO 



£ 
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Millionaire ■ 

Blue Chip Software ^m 

Softkey For Millionaire ^m 

by Ryan Hodge ^m 
(Hardcore COMPUTIST # 12, page 7) 




Requirements: 

48K Apple ][ Plus equivalent 

FID from the DOS 3.3 System Master 

A blank disk 

Integer Card or modified F8-ROM or NMI card 



T1 INIT a blank disk with INI TIAL as the null hello program. 



INIT INITIAL 

I 2| Load FID from the DOS 3. 3 System Master and modify DOS : 

BLOAD FID 
CALL -151 
B925:18 60 
B988:18 60 
BE48:18 
B8FB:29 00 

I 3 1 Run FID and copy these files onto a normal DOS 3.3 disk: 
CHA IN, COMMON, INDUST, STOCKS, MESDA TA , PLA Y, DESCR/P, PLA YER, 
RANDOM. DTA (and SA VE if it's on your disk): 

803G 



4| Boot (PR#6GII1D) the original Millionaire disk and when 



the screen 'asks' if you wish to resume an old game, hit I reset | (or 
use your NMI card) to enter the Monitor, repeat the DOS changes 
in step 2 and finally, put the Millionaire hello program, INITIAL, 
onto your normal disk containing the other Millionaire files: 

SAVE INITIAL 



S 
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Music Construction Set 

Electronic Arts 

Backup And Modify Music Construction Set 

by Dan Rosenberg 
(Hardcore COMPUTIST # 12, page 27) 




Requirements: 

a separate list is given for each version 



Many readers probably own a copy of Music Construction Set 
(MCS) which, in my opinion, is the best music program currently 
available for the Apple. However, I suspect that many owners of 
MCS are dismayed, like I was, by their inability to back up or modify 
the program. Because MCS is protected, it has an annoying habit 
of checking for an original program disk from time to time. For 
the user, this copy-protection measure means increased wear on the 
original MCS disk in addition to slowing down the overall process 
of composing music. 

The MCS disk uses a version of DOS 3.3 called DOS 3.3P (the 
P stands for Protected.) Most copy programs will copy the MCS 
disk without errors, but the copy will not work because the 
program(s) check the disk for its originality. 

Luckily it is not too difficult to defeat DOS 3.3P. Once the 
protection has been defeated it is possible to make some 
modifications to MCS. 

The Copy 

The first thing to do is determine which version of MCS you have. 
The different versions require entirely different copy methods. I 
know of two different versions, which I will call version 1 and 
version 2. Version 1 does not support the cassette output function 
(it won't ask you if you would like cassette output), and the files 
A3, A4, P3, N and appear in the catalog. Version 2 allows you to use 
cassette port output, and A3, A4 and P3 do not appear in the 
CATALOG. Check for which version you have, and then use the 
appropriate method. 
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MCS version 1 copy 



Requirements: 

48K Apple ][ Plus or equivalent 

COPYA from the DOS 3.3 System Master or bit copy program 

A blank disk 



I 1 I Boot up with any DOS 3.3 disk: 
PR#6 

I 2| Copy your MCS disk with COPYA onto the blank disk. If 
COPYA has any trouble making a copy, get out your bit copy program 
and copy tracks $0— $22 with the standard parameters: 

RUN COPYA 

I 3 I Insert the copy of MCS and load the binary file called A4: 
BLOAD A4 

I 4 1 Enter the Monitor by typing: 
CALL -151 



Jy Make the following modifications to the image of A4 in 



memory: 

9131:60 
913A:EA EA 
4C00:60 



6 | Resave the file A4 by typing: 



BSAVE A4,A$4A0O,L$B6O 



7 1 Boot up your copy of the MCS disk and start constructing 



(musically, that is). 



MCS version 2 copy 



Requirements: 

Apple ][ Plus or equivalent 

A blank disk 

Text-Editing program or... 

MAKE TEXT from the DOS 3.3 System Master disk 
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T1 Boot up a DOS 3.3 disk and then initialize a blank disk with 



a 'null' HELLO program: 

PR#6 

FP 

INIT HELLO 

| 2 | Boot up with the original MCS disk: 
PR#6 

| 3 1 When the title page saying "Will Harvey's Music 
Construction Set" comes up, hit P^H (SdHI). Be sure to I reset | 
as soon as you see the title page! 

^1 The Monitor prompt should now be showing, so place the 



disk you initialized in step 1 into the drive and type in the following 
commands: 

BSAVE H,A$400,L$600 
BSAVE A3,A$AO0,L$4000 
BSAVE A4,A$4A00,L$4B60 
BSAVE N,A$7400,L$120 
BSAVE P3,A$300,L$D0 

| 5 | Now, boot up with the disk which contains the MCS files. 
Since you can't do a PR#6 1 return] from MCS, you will have to turn 
the power OFF (or ETc3 [reset] on the Apple //e). 

| 6 | Load in the file called A4 and then enter the Monitor: 

BLOAD A4 
CALL -151 

I 7 | Next, type: 

86D9.86DB 

If you get 4C 00 C6 in response, then type: 

86D9:EA EA EA 
7F39:60 

Note: If your new copy doesn't work, type in: 

910D:60 

If you didn't get 4C 00 C6, then type: 

9131:60 
913A:EA EA 



8| Save your changes by typing: 



BSAVE A4,A$4000,L$4B60 

The new copy will now work, but you'll want a program to start 
it off. Since part of Music Construction Set uses the normal BASIC 
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memory and there is little room for a machine language program, 
we will use an EXEC file. You will either need a word processing 
program or you can use MAKE TEXT from the DOS 3.3 System Master 
to create the EXEC file. Note: if you use MAKE TEXT, don't make 
any typing mistakes because the backspace characters will be saved 
into your file. 

| 9 | Get out your word-processor or MAKE TEXT and create a text 
file which contains the following commands: 

HGR 

POKE -16301,0 
BLOAD A3 
BLOAD A4 
BLOAD P3 
BLOAD N 
BLOAD H 
POKE, -16368 ,13 
CALL 2156 

I 10 | Save this text file under the name MCS. HELLO on your copy 
of the Music Construction Set: 

SAVE MCS. HELLO 

| 11 | Type in the following program and save it on the disk as 
the Hello program: 

FP 

10 PRINT : PRINT CHR$ (4 ) "EXEC A MCS.HELLO" 

SAVE HELLO 

| 12 | To copy any of the music files from the original MCS disk 
to the copy, a file-transfer program like FID can be used. Both the 
music file and its . OBJ file have to be transferred. For instance, if 
you want the song "Dixie" on your copy of MCS, then the fries 
DIXIE and DIXIE. OBJ will both have to be transferred. 

1 13 I You can now boot up your new Music Construction Set disk 
and use it normally. If you are using a DOS other than DOS 3.3 
(Pronto-DOS, Diversi-DOS, etc.), you'll find the program will run 
much faster. I recommend you get one of these fast DOS's as they 
are well worth the money. 



Alternate Method For MCS Version 2 



Requirements: 

48K Apple ][ Plus or equivalent 
COPYA or a bit-copy program 
Disk-editing program 
A blank disk 
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1 I Make a copy of the original Music Construction Set disk 



with COPY A (IfCOPYA won't copy it, use a bit-copier): 
RUN COPYA 



2\ Use your disk-editor to make the following changes to the 



copy of the MCS: 

Track Sector Byte From To 



$B 


$2 


$D9 


$4C 


$EA 


$B 


$2 


$DA 


$00 


$EA 


$B 


$2 


$DB 


$C6 


$EA 


$B 


$D 


$29 


$20 


$EA 


$B 


$D 


$2A 


$00 


$EA 


$B 


$D 


$2B 


$4C 


$18 



Don't forget to write the modified sectors back to the copy of MCS. 

MCS Modifications 

It is also possible to customize the Music Construction Set. For 
example, say that you have your Mockingboard in a slot other than 
4. The slot that MCS expects to find the Mockingboard in can be 
easily changed with the program below. Note that there are two 
different DATA statements and you should use one or the other 
depending upon which version of MCS you own. Just type the 
program in (using the appropriate DATA statement) and save it as 
MB SLOT CHANGER by typing: 

SAVE MB SLOT CHANGER 

Just RUN the program when you want to have MCS utilize a 
Mockingboard in another slot. The program can also be used if MCS 
will not boot because you have a card in slot 4 that is not a 
Mockingboard. Just run the MB SLOT CHANGER program and then 
change the Mockingboard slot to one of the slots in your computer 
that is empty. 

5 REM DATA FOR VERSION 1 

10 DATA 4 35946 , 35951 ,35956 , 35962 , 35967 ,35972 , 35982 , 35987 
,35992 ,35998 ,36003 ,36008 ,36019 ,36022 ,36027 ,36030 

5 REM DATA FOR VERSION 2 

10 DATA 4 35932 , 35937 , 35942 , 35948 , 35953 , 35958 , 35968 , 35973 
,35978 ,35984 ,35989 ,35994 ,36008 ,36005 ,36013 ,36016 

15 REM TYPE IN ONLY 1 SET OF DATA!! 

20 DIM A(16 ) : TEXT : HOME 

30 FOR I = 1 TO 16 : READA(I ) : NEXT 

40 INVERSE : PRINT "MCS' MOCKINGBOARD' SLOT 4 CHANGER" 

50 NORMAL : VTAB 5 : PRINT "WHAT' SLOT 4 WOULD 4 YOU' LIKE 4 TO' PUT' 

YOUR 4 MOCK I NGBOARD 4 I N , 4 OR 4 HAVE 4 MUS I C 4 CONSTRUCT 1 4 SET 4 

LOOK 4 FOR 4 A 4 MOCKINGBOARD? 4 (1-7) : " ; : GETZ$ 



62 The Book Of Softkeys Volume III 



60 Z = VAL (Z$ ) : I F Z < 1 OR Z > 7 THEN HTAB 1 : GOTO 50 

70 PR I NT "MAKE* SURE" YOUR' MUS I C CONSTRUCT I ON' SET' ' D I SK' I S' I N' 

THE' DRIVE... AND' KEY" ; :GETZ$ 
80 PRINT : PRINT CHR$ (4 ) "BL0AD'A4" 
90 FOR I = 1 TO 16 : POKE A( I ) ,Z + 192 : NEXT 
100 PRINT : PRINT CHR$ (4 ) "BSAVE'A4,A$4A00,L$4B60" 
110 PRINT : PRINT "DONE." : END 

If you performed the alternate copy method (sector edit method) 
on version 2, then the above program will not work for you because 
your disk does not have a file called A4 on it. However, you can 
still change the Mockingboard slot if you have a sector-editor. The 
bytes to modify are stored on track $B, sector $8. 

Get your disk-editor running and read in track $B, sector $8 from 
the copy of MCS you made. The table below shows the bytes to 
modify. You will need to substitute the slot number you want your 
Mockingboard in for the n in the To column. For instance, if you 
want to use slot 2 for the Mockingboard, change the bytes listed 
in the table from $C4's to $C2's. 



Byte 


From 


To 


Byte 


From 


To 


$5C 


$C4 


$Cn 


$8A 


$C4 


$Cn 


$61 


$C4 


$Cn 


$90 


$C4 


$Cn 


$66 


$C4 


$Cn 


$95 


$C4 


$Cn 


$6C 


$C4 


$Cn 


$9A 


$C4 


$Cn 


$71 


$C4 


$Cn 


$A5 


$C4 


$Cn 


$76 


$C4 


$Cn 


$A8 


$C4 


$Cn 


$80 


$C4 


$Cn 


$AD 


$C4 


$Cn 


$85 


$C4 


$Cn 


$B0 


$C4 


$Cn 



After changing the bytes, don't forget to write the sector back to 
your disk. 

Cassette Port Output 

Version 1 of Music Construction Set does not allow you to use 
the cassette port for output as does version 2. Using the cassette 
port for output allows you to play the music through an external 
amplifier and speaker for improved sound quality (especially if you 
turn the treble all the way down on your amplifier). Adding cassette 
port output to version 1 of MCS is really quite simple if you have 
a little knowledge of the Apple's built-in I/O. 

Sound can be output to the Apple's speaker by referencing address 
$C030 or to the cassette output by referencing address $C020. The 
binary file called A4 controls the output of MCS, and the changes 
necessary for cassette output need only be applied to this one file. 
The program listed below will allow you to pick the output path 
(speaker or cassette) and will make the necessary modifications to 
A4. Type in this program and SAVE it as CASSETTE OUTPUT. 
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CASSETTE OUTPUT 



10 DATA '23, 43 ,46 ,66 

20 TEXT : HOME 

30 FOR I = 1 TO 4 : READ A( I ) : NEXT 

40 INVERSE : PRINT "MCS 4 CASSETTE/APPLE 4 SPEAKER* OUTPUT" TOGGLE" 

50 NORMAL : VTAB 5 : PRINT "DO" YOU 4 WANT* <C>ASSETTE 4 OR 4 <A>PPLE 4 

SPEAKER" OUTPUT 4 (C 4 OR 4 A) :" ; : GETZ$ 
60 I F Z$ <> "C" AND Z$ <> "A" THEN HTAB 1 : GOTO 50 
70 PRINT : PR I NT CHR$ (4 ) "BLOAD 4 A4" 
80 N = 33 : I F Z$ = "A" THEN N = 49 
90 FOR I = 1 TO 4 : POKE A( I ) + 21800 ,N : NEXT 
100 PRINT : PRINT CHR$ (4) "BSAVE 4 A4,A$4A00,L$4B60" 
110 PRINT "DONE." : END 

When you want to switch from speaker to cassette output (or vice- 
versa), just: 

RUN CASSETTE OUTPUT 

Final Words 

Since your new Music Construction Set is now on a normal DOS 
3.3 disk, if a DOS error is generated (like trying to load a non- 
existent file), the program will leave you in BASIC (version 2 only). 
To return to MCS just type: 

CALL 2156 

Anything that you were working on at the time of the error will 
still be intact. 

That about does it for my modifications to Music Construction 
Set. I am sure that if you poke around a bit, you can come up with 
some more enhancements for MCS. A good place to start 
investigating is the area around $7F00. Happy constructing! 



£ 
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PFS software* 

Software Publishing Corp. 

Deprotecting PFS Software 

by Gary J. Wolfe 
(Hardcore COMPUTIST # 14, page 6) 




* This softkey applies to: PFS.File, PFS.File lie, PFS:Report, 
PFS.Report lie, PFS.Graph, PFS.Graph lie. 

Requirements: 

Apple ][ Plus or equivalent 

One disk drive 

COPYA from your DOS 3.3 System Master 

Sector-editor with search capability (Zap, Inspector, etc.) 

Although most of PFS's software can be backed-up by using Copy 
II Plus' normal-copy (not bit-copy) utility, I prefer to completely 
remove the copy-protection from commercial software that I own. 
Even though the PFS series of programs are written in Pascal, the 
disk-protection code is written in Assembly language and can be 
fairly easily circumvented. To remove the protection from any of 
the PFS programs listed above, you will need some sort of disk- 
search utility. The entire disk has to be searched for a byte sequence 
of D0 04 88 98 F0 27. This code is found in a routine which checks 
the disk for the presence of extra bits in the sync fields, a protection 
scheme called the 'bit insertion technique'. If the extra bits are 
present, an $FF will be pushed on the stack, otherwise, a $00 will 
be pushed onto the stack before the routine returns to its caller. By 
changing the second byte of the search sequence from an $04 to 
a $29, the protection code can modified so that it will always push 
an $FF onto the stack whether the extra bits are present or not. 

I 1 I First, run COPYA to make a copy of the PFS program. 

I 2 I Get out your disk-search utility and search the copy for the 
all occurrences of D0 04 88 98 F0 27 and change the $04 in this 
sequence to a $29. Be sure to write the changes back to the disk. 

I 3 I Write-protect the disk before trying to boot it. 



a 
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Penguin Software 

(PS) 

Softkey For Transylvania & The Quest 

by Thomas A. Phelps 
(Hardcore COMPUTIST # 13, page 14) 



NOTE: As you are aware, both Penguin Software and Beagle Bros are 
spoken of highly for their unprotected applications disks. Even the Beagle 
game disk Beagle Bag bears no protection. Penguin game disks, on the 
other hand, are copy-protected, thus not allowing easy backup nor the art 
of APT (Advanced Playing Techniques). 

Arcade games in broken form do not especially lend themselves well to 
APT due to difficult-to-understand machine code, but adventures, especially 
ones written in BASIC, do. After performing the softkey for both 
Transylvania and The Quest, you can examine the BASIC programs which 
are the core of these fine adventures, as well as each well-drawn picture, 
without the need of traveling there in the adventure itself. 

The protection for these adventures is more or less the same, and is easily 
broken with just a little effort. First, type in the Super IOB controller below. 
Since this controller works on all Penguin entertainment software I've tried 
(including Coveted Mirror), save it to disk as PENGUIN. CON. 

After using the controller on a Penguin disk, you should add DOS (ideally 
a fast DOS). 



controller 



1000 REM PENGUIN CONTROLLER 

1010 TK = 2 :ST = : LT = 35 :CD = WR 

1020 Tl = TK : GOSUB 490 : GOSUB 1110 

1030 GOSUB 430 : GOSUB 100 :ST = ST + 1 

: I F ST < DOS THEN 1030 

1040 IF BF THEN 1060 

1050ST = 0:TK = TK+1 : GOSUB 1110 : I F TK < LT THEN 1030 

1060 POKE 47505 ,222 : POKE 47413 ,222 : GOSUB 230 : GOSUB 490 :TK = 

Tl :ST = 
1070 GOSUB 430 : GOSUB 100 : ST = ST + 1 : IF ST < DOS THEN 1070 
1080 ST = :TK = TK+1 : IF BF = AND TK< LT THEN 1070 
1090 I F TK < LT THEN 1020 

1100 HOME : PRINT : PRINT "D0NE A WITH" COPY" : END 
1110 POKE 47505 ,218 : POKE 47413 ,218 : I F TK / 2 = I NT (TK / 2 ) 

THEN 230 
1120 RESTORE : GOTO 190 
63010 DATA 212 ,170 ,150 
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Requirements: 

Apple ][, Apple ][ Plus, Apple //e or compatible 
one blank disk 
Super IOB 

First, run Super IOB with the Penguin controller installed. Once 
the program has been copied, only one modification needs to be 
made for the program to function. The Binary file TPAR checks to 
see that $D6 is non-zero (causing the BASIC program to auto-run). 
If it is not non-zero, the program will exit to BASIC as soon as 
the player is ready to enter his first command. This problem can 
be fixed in either one of two ways. One way is to add 5 POKE 
214,255 to HELLO, or, better yet, the file TPAR can be modified to 
ignore this check. To modify TPAR, follow these steps: 

I 1 1 Since TPAR loads in an area normally used by DOS buffers, 
change MAXFILES: 

MAXFILES1 

I 2 | Load in the file to be modified: 
BLOAD TPAR 

I 3 | Enter the Monitor: 
CALL -151 

I 4| NOP the $D6 byte-check: 
943D:EA EA EA 

I 5 | Save the new file: 

BSAVE TPAR,A$94Q0,L$69D 

For a complete, stand-alone copy, simply copy DOS onto the disk 
and use HELLO as the boot-up program. 

According to the VTOC, the disk has no free sectors, but a VTOC 
rebuilder will show several free sectors which may be used to store 
saved games and the APT programs listed in this article (no extra 
disk needed!). 

In addition to this bit of protection, TPAR contains a list of all the 
words the adventure understands. A utility that prints out disk files, 
or the following program will print a complete list of recognized 
words if TPAR is in memory (the periods just fill out commands 
requiring less than five letters). 
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APT: Print Commands 



5 PR# 1 : PRINT 

10 ST = 38281 : EN = 37888 +1693 

15 COL = 80 : REM f COLUMNS PRINTER SUPPORTS, SET TO FTVE FOR EACH 
RECOGNIZED WORD TO BE ON ITS OWN LINE 

20 FOR I = ST TO EN : PRINT CHR$ ( PEEK ( I ) ) ; 

30 NN = NN + 1 : I F NN = COL THEN PR I NT CHR$ (13) :NN=1 

40 NEXT I : PRINT CHR$ (13) 

45 PR# 

Examining the BASIC program TRANS will give you some clues 
and show some interesting program techniques; it's worth looking at. 

Another benefit of unlocking Transylvania is that the beautiful 
hi-res pictures can be enjoyed without the bother of traveling through 
the entire adventure. Owners of the Graphics Magician can load 
up the pictures, just as if they were any other picture created with 
the picture-editor, or those without can use the following program 
to take a look at the pictures (save to the Transylvania disk under 
SEE PICTURES). 



APT: See Pictures 



10 IF PEEK (103 )+ PEEK (104 )<> 65 THEN POKE 103 ,1 : POKE 104 ,64 

: POKE 16384 ,0 : PRINTCHR$ (4 ) "RUN* SEE* PICTURES" 
20 TEXT : HOME : HGR : PR I NT CHR$ (4 ) "BL0ADPICDRAW2" 
30 HOME : VTAB 21 : INPUT "SEE 4 PICTURE* -> A " ;A$ : I F LEFTS (A$ ,3) < 

> "CAT" THEN 50 
40 TEXT : HOME : PRINTCHR$ (4 ) "CATALOG" : PRINT : PRINT "ANY' KEY* 

" ; : GETA$ : PRINT A$ : HGR : GOTO 30 
50 IF A$ = "" OR A$ = "END" THEN TEXT : HOME : END 
60 PR I NT CHR$ (4) "BLOAD* " A$ " ,A4608" : POKE 2560 ,0 : POKE 2561 ,18 

: CALL 2608 
70 GOTO 30 

The possibilities for modification are endless; you can even 
modify the adventure map! 



The Quest 



Requirements: 

Apple ][, Apple II Plus, Apple //e or compatible 
Super IOB 
two blank disks 
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The softkey for The Quest is less complex than the softkey for 
Transylvania. You need to use the Penguin controller on the boot 
side of the disk and, interestingly enough, only COP YA on the back 
side. 

After that, a couple of modifications need to be made. First of 
all, the boot program needs to be changed so that a file called AMP 
2. 8 can be BLOADed into the DOS buffers. Type the following: 

FP 

10 PRINT CHR$( 4)"MAXFILES1": PRINT CHR$( 4)"BRUN QUEST" 
SAVEQA 

Copy DOS onto the disk and use QA as the boot-up program. 

The next modification concerns a check to see if Penguin DOS 
is still in the machine. The check occurs in line 9120 of a program 
called QB so 

LOAD QB 

Change the Z = PEEK (47692) in line 9120 to a Z = PEEK 
(47693) and then: 

SAVE QB 

Like Transylvania, the disk shows no free sectors, but a 
CATALOG rebuilder (such as FIXCAT from Bag of Tricks) will 
recover the unused sectors which can now be used for saved games. 

APT For The Quest 

The end of this adventure is much, much better than that of 
Transylvania. In fact, to see the end without toiling with the 
adventure, flip the disk to side two and BRUN EQA. Excellent work 
on the part of the authors and on the COPYAable side - interesting. 

Again, all the hi-res pictures may be viewed but, disappointingly, 
many are duplicates. The BASIC program^ can also be examined 
to aid in solving this adventure. 



--=-- Minute Man and more... WM 

As I mentioned earlier, Super IOB works on other Penguin game 
disks as well. For example, running Super IOB on Minute Man and 
simply changing line one to 1 HOME: HGR: HGR2: PRINT 
CHR$(4)"MAXFILES1" will create an unlocked Minute Man 
which, of course, may be copied with COPYA or any other copier, 
even FID\ 

Well, that's it! Watch for the return of three mice in The Quest, 
and have fun! 



3 
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Rocky' s Boots ■ 

The Learning Company ^M 

Tracking down Rocky's Boots ^M 

by Jerry Caldwell ■■ 
(Hardcore COMPUTIST # 14, page 22) 




Requirements: 

Apple ][ Plus or equivalent 
Super IOB 
Sector-editor 
Blank disk 

Rocky's Boots is an educational program designed to instruct 
students of any age in the basic concepts of electronic digital logic. 
The user progresses from learning about electricity to the point where 
he/she is able to construct 'machines' from wires, logic gates, clocks, 
sensors and other pieces of hardware that will 'kick' targets of a 
specific color and/or shape. Unfortunately (or fortunately for those 
of us who like a challenge), Rocky's Boots is copy -protected. 

The Learning Company uses two techniques to copy-protect 
Rocky 's Boots. First, every sector on the disk is marked as if it were 
on track 0. This prevents the use of COPY A or any other standard 
copier to make a backup. The second copy -protection measure 
involves the use of half-tracks with track arcing during the boot 
process of the disk. On Rocky's Boots, tracks 3.0, 3.5 and 4.0 each 
contain five sectors of data. 

While the first technique is easy to circumvent with the use of 
a bit copier, the latter technique is more difficult to defeat, even 
with a bit-copier which can read half-tracks. If full tracks of data 
are written to a disk in half-track increments, the data on adjacent 
half-tracks will tend to be obliterated. However, the half-tracks on 
an original copy of Rocky 's Boots are written in a special manner 
so that they are synchronized with one another, with each of the 
half-tracks containing only five sectors of data. This pattern is 
generally very hard to duplicate with a bit-copier but can be read 
with the proper software. Both of the copy-protection techniques 
I've described can be removed so that a backup which resides on 
a normally formatted disk can be produced. 
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There are two basic things which must be done to produce the 
backup. First, all of the data that is written to the original must be 
moved to a backup disk. The data that resides on the three half- 
tracks on the original disk will be written onto one full track on 
the backup disk. This transfer can be handled by Super IOB with 
the Rocky 's Boots controller listed on this page installed. 

Once Rocky 's Boots has been moved to a normally formatted disk, 
a couple of changes need to be made to the disk so that it will run 
properly. This involves some changes to the disk I/O code so that 
no half-tracks will be accessed and I/O errors will not be generated 
when the program finds that the sectors are marked normally instead 
of as if they were all on track $0. One other change has to be made 
so that one can exit from Rocky 's Boots without having it crash into 
the Monitor. 

Making The Copy 

Begin by typing in the controller listed below. Install it into Super 
IOB and RUN. 

controller 

1000 REM ROCKY'S BOOTS CONTROLLER 

1010 TK = :ST = : LT = 34 :CD = WR : POKE 48573 ,128 

1020 GOSUB 490 :T1 = TK :TK = :CD = : GOSUB 100 : GOSUB 80 :S = 

-128 : GOSUB 130 
1025 CD = RD :S = Tl * 2 : GOSUB 130 : RESTORE : GOSUB 170 :S = 2 
1030 TK = PH / 2 : GOSUB 430 :TK = : GOSUB 100 :ST = ST + 1 : IF ST < 

DOS THEN 1030 
1040 I F BF THEN 10601050 ST = : GOSUB 130 : I F PH = 6 THEN GOSUB 

1110 
1055 IFPH< LT * 2THEN 1030 

1060 GOSUB 310 : GOSUB 490 :TK = Tl :ST = : GOSUB 230 
1070 GOSUB 430 : GOSUB 100 : ST = ST + 1 : IF ST < DOS THEN 1070 
1080 ST = :TK = TK + 1 + (TK = 3 ) : GOSUB 1150 : IF TK = 3 THEN GOSUB 

1160 
1085 I F BF = AND TK < LT THEN 1070 
1090 I F TK < LT THEN 1020 
1100 HOME : PRINT "DONE 4 WITH 4 COPY" : END 
1110 S = 1 : ST = 1 : GOSUB 1160 : GOSUB 100 :ST = 
1120 FOR Al = 1 TO 5 :TK = 3 :ST = ST + 1 : GOSUB 430 :TK = : GOSUB 

100 : NEXT 
1130 GOSUB 130 : I F PH < 9 THEN 1120 
1140 GOSUB 130 :S = 2 :ST = 

1150 POKE 48683 , 185 : POKE 48684 , 184 : POKE 48685 , 191 : RETURN 
1160 POKE 48683 ,234 : POKE 48684 ,234 : POKE 48685 ,234 : RETURN 
5000 DATA 255 ,255 ,255 ,255 
5010 DATA l 4 CHANGES 
5020 DATA ,7 ,43 ,231 
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Note: During the copy process, the disk head will recalibrate just 
before reading the original disk. If it should recalibrate in the middle 
of reading the original, then you will get a bad copy. 

A Few Controller Words 

Here is a list of the differences in this controller from the standard 
one which makes it successful. 

1010 —Set the last track to be copied at 33, set extended error retry 

mode. 
1020 —Tell DOS to position over track 0, recalibrate. 
1025 —Fix command code, move to correct track via MOVE S 

PHASES, alter the ending marks (to FF FF, FF FF), fix 

step variable for whole tracks. 
1030 —Calculate TK so that PRINT TRACK & SECTOR # will 

display the correct track, restore TK to zero since that is 

what the sectors are marked as. 
1050 —If on track 3 then call the track arcing reader at 1110. 
1060 —Call the sector-editor to edit track 0, sector 7, byte $2B to 

$E7, normalize the DOS ending marks. 
1080 —Skip track 4, tell DOS to write logical sectors unless on track 

three in which case, tell DOS to write physical sectors. 
1110 —Set the step variable for half-tracks, tell DOS to read physical 

sectors, read sector 1 as a dummy, fix sector variable. 
1120 —Read the next five physical sectors. 
1130 —Step forward a half-track, if not done with the track arcing, 

then read five more sectors. 
1140 —Move on to track five, fix step variable, start with sector 

zero of track five. 
1150 —Restore DOS so that it reads logical sectors. 
1160 —Alter DOS so that it reads physical sectors. 

Once the Super IOB copy of Rocky 's Boots has been made, there 
are a few changes that have to be made to the disk so that it will 
function properly on a normally formatted disk. 

Rocky's Boot-up 

During the boot-up of the disk, some code is written to page $04 
(on the text page) that is responsible for accessing the data on the 
half-tracks. After this has been accomplished, the code exits to $500 
to where the menu is read in. Putting code on the text page like 
this is also a form of copy-protection. 

An interesting fact about Rocky 's Boots is that it always uses the 
sector read routine at $Cc5C (x being the slot number) to read the 
disk. That is, the original Rocky 's Boots uses this ROM subroutine. 
The modification we will make moves this routine into RAM where 
it can be modified to suit our purposes. 

This change modifies the code that is written to page $04 so that 
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it does not access the half-tracks, but instead, reads the data that 
was written on tracks 3.0, 3.5 and 4.0 all from track $03. After 
this has been done, the code will move the sector-read routine from 
the disk controller card to $400— $49E and then modify it so that 
the normally-marked sectors will not cause any errors. Our code 
will also make a modification at $508— $50A so that the code which 
was moved to $400— $49E will be used instead of the routine in 
the disk controller's ROM. This change has to be made to track 
$00, sector $07 (logical) on the Super IOB copy of Rocky 's Boots. 
To make this change, get out your sector-editor and read in track 
$00, sector $07 of the backup. Move the cursor to byte $AE of this 
sector and start entering the bytes listed in the hexdump below. Write 
the sector back to the disk when you have finished entering all of 
the bytes. For those who are interested, the source listing of this 
is included. 

A2 0F 20 0C 04 20 2A 04 

46 4A A9 A4 85 76 A9 03 

85 77 A9 00 85 78 A5 3F 

85 79 A0 5C Bl 78 91 76 

C8 D0 F9 A9 41 8D 43 04 

A9 04 8D 0A 05 A9 00 8D 

09 05 A6 2B 86 EF 4C 00 

05 E6 41 20 2D 04 60 

A Graceful Exit 

The final modification is made to track $1, sector $07 of the 
backup so that the drive will reboot properly when the "END" 
option is chosen from the main menu. This modification is necessary 
because with the previous sector-edit we tricked the program into 
thinking the disk controller ROM was located on the text page (page 
$04). The program will just crash if it tries to reboot from there. 
So, to restore a graceful exit to Rocky 's Boots, make the following 
change to the Super IOB copy. 

Track Sector Byte From To 

$01 $07 $03 $AC $A4 
$01 $07 $04 $0A $3F 
$01 $07 $05 $05 $EA 

Once you have written the change back to the disk, you will have 
a fully functional backup of Rocky 's Boots. 

Those of you who would like to learn how Rocky 's Boots works 
might be interested to know that each of the items on the menu 
(Rocky's Boots, Rocky's Challenge, etc) has an entry point of $A00. 
If you have some means of halting without a reboot (old F8 ROM 
or a NMI card, etc.) you can stop the program, snoop around 
memory to your heart's content and then restart the module in 
memory with a A00G. Just keep in mind that the code necessary 
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for disk access resides on the text page and it will hit the proverbial 
bit bucket as soon as the Monitor is entered. 

Once the program has been halted, you will have to reboot the 
disk in order use the main menu. 

Other Learning Company Programs 

Other Learning Company programs are copy-protected in a 
similar fashion to what I have described for Rocky 's Boots. There 
are several ways to approach these programs. 

One of the easiest approaches is to make a bit-copy of the original 
and boot it with the cover of the disk drive removed. The head will 
probably move inward until it tries to read from a track that should 
have adjacent half-tracks. You may then replace the copy with the 
original, close the door briefly and then re-open it. As the Apple 
reads the data in, you can determine which are the half-tracks. By 
alternating between the bit-copy and the original copy, you can 
determine where the half-tracks end and when full tracks are again 
being accessed. Once the half-tracks have been read, the bit-copy 
will probably function just as well as the original. 

The sector responsible for reading in the half-tracks probably will 
be sector $01 of track $00 on other Learning Company disks, just 
as it is on Rocky 's Boots. You should be able to read this sector 
with the Inspector or Tricky Dick (set the end-of-address and data- 
marks to 000000). Look for instructions like: 

B9 81 C0 LDAC081.Y 
B9 80 C0 LDAC080.Y 

These are instructions which control the head movement of the drive. 
Look also for instructions which call subroutine which are displaced 
three steps away in memory, such as: 

800: 20 03 08 JSR $0803 

803: 48 PHA 

804: 98 TYA 

805: 48 PHA 

If a call to $803 causes the head to increment a half-track, then a 
call to $800 will cause two half-track increments, in other words, 
a whole track (for an example of this, look at the code which starts 
at byte $2A of track $0, sector $7 on Rocky 's Boots). Having found 
the appropriate sector, one still needs to recover the data from the 
half-track arcs. Knowing the location in memory to which the data 
goes, an Integer card could be used (as it could have in our example 
here) to recover that data. You would need to dissasemble the sector 
to trace that information. With other programs, it may not be easy 
to find a place in the RAM memory to place the disk controller ROM 
as we were able to do with Rocky 's Boots. In such a case, you should 
plan on only modifying track and the half-track arcs, and backup 
the remainder of the disk with a bit copier. 
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source code 



* Patch th i s code to t rack $0 , sector $7 of the I0B copy of Rocky ' s Boot . 

* The code will move t he d i sk cont ro 1 1 er ROM Sector Read rout i ne onto 

* the text page where it wi 1 1 be used to read the normal ized copy 

.0R$4AE 
.TA$800 
.TF ROCKY CODE 



04EA: 


A2 0F 


LDX #$0F 


START ON SECTOR $F 


04EC: 


20 0C 04 


JSR $040C 


READ SUBROUTINE 


04EF: 


20 2A 04 


JSR $042A 


MOVE A FULL TRACK 


04F2: 


46 4A 


LSR $4A 


RESET TO LOGICAL SECTORING 


04F4: 


A9A4 


LDA #$A4 


SET UP THE ZERO 


04F6: 


85 76 


STA $76 


PAGE POINTERS 


04F8: 


A9 03 


LDA #$03 


TO MOVE THE ROM 


04FA: 


85 77 


STA $77 


SECTOR READ ROUTINE 


04FC: 


A9 00 


LDA #$00 


AT $CX5C TO $400 


04FE: 


85 78 


STA $78 




0500: 


A5 3F 


LDA $3F 


$3F HOLDS HI BYTE OF 


0502: 


85 79 


STA $79 


CONTROLLER'S ROM ADDRESS 


0504: 


A0 5C 


LDY #$5C 


OFFSET INTO ROM 


0506: 


B178 MOVE IT 


LDA ($78), Y 


MOVE THE CODE 


0508: 


9176 


STA ($76), Y 




050A: 


C8 


INY 




050B: 


D0F9 


BNEMOVEIT 




050D: 


A9 41 


LDA #$41 


MAKE A MOD TO PREVENT 


050F: 


8D 43 04 


STA $0443 


I/O ERRORS 


0512: 


A9 04 


LDA #$04 


MODI FY THE CODE ON 


0514: 


8D 0A 05 


STA $050A 


PAGE $5 SO THAT STA $507 


0517: 


A9 00 


LDA #$00 


THE CODE AT $400 LDA #$00 


0519: 


8D 09 05 


STA $0509 


IS USED TO READ DISK STA $506 


051C: 


A6 2B 


LDX $2B 


$2B HOLDS SLOT # 


051E: 


86 EF 


STX $EF 




0520: 


4C 00 05 


JMP $0500 


EXIT TO $500 


0523: 


E6 41 


INC $41 


PATCH THAT INCREMENTS 


0525: 


20 2D 04 


JSR $042D 


THE TRACK # 


0528: 


: 60 


RTS 




Note 


: Some versions 


may require 


the change below: 


0514 




STA $507 




0517 




LDA #$00 




0519 




STA $506 
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Sabotage 

On-line Systems 



Backup For Sabotage 

by Clay Harrell 
(Hardcore COMPUTIST # 12, page 7) 




Requirements: 

Apple ][, Apple ][ Plus, or Apple //e 
A blank initialized DOS 3.3 disk 



Sabotage was about the first game I ever bought for my Apple 
way back when DOS 3.3 had just been released. Even though it 
is a somewhat simple game, it held my attention for quite some time 
and even now I occasionally still play it. 

The last time I tried to play Sabotage, I noticed that the original 
disk was having a hard time loading the hi-res title page. No doubt, 
the disk had seen its day and needed to be backed-up. I figured I 
could still save it before it was too late. 

The protection used by On-Line was somewhat simple when this 
program was released (back in the good ol' days when Sierra On- 
Line was just On-Line Systems). The disk is in a modified DOS 
3.2 format which was another good reason for backing it up (this 
thing boots slooooowly!). 

You can boot the disk and press ISC I to interrupt the Hello 
program before it executes. You may now CATALOG the disk and 
examine the files if you wish. 

The Hello program BLOADs the banner picture and just BRUNs 
the game (file: SABOTAGE). What we want to do is BLOAD 
SABOTAGE, then check the locations it was loaded at and its length: 

BLOAD SABOTAGE 

and then enter the Monitor with: 

CALL -151 
Then type: 

AA60.AA73 
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The last two bytes listed will be the location SABOTAGEwas loaded 
at, and the first two bytes will be the length of the file, in 
bassackward order, of course. If you list memory aj $1D00, you 
will see that there are some memory moves to page $©1 and an RTS. 
If you type SlDOOG Ireturnj , the drive starts up and makes sure 
you're using the original disk. 

Obviously, we don't want this routine in our final production. 
Well, past that, the starting address is $1D1F and the file continues 
up to $5400. 

So, to backup Sabotage we just BLOAD the file SABOTAGE, boot 
a 48K slave disk and BSAVE the file. 

In cookbook fashion, here are the steps to deprotection: 

I 1 | Boot the Sabotage disk. 

| 2| Press Bel immediately, and after the Hello program is 
loaded, your Apple will beep and you will be in Applesoft BASIC. 

EH Type: 

BLOAD SABOTAGE 

| 4| Boot a 48K DOS 3.3 slave disk by typing: 
PR#6 

| 5 | Save the program to your disk by typing: 
BSAVE SABOTAGE,A$lDlF,L$36E2 



ft 
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Seadragon | 



Adventure International 

Softkey For Seadragon 

by JeffRivett 
(Hardcore COMPUTIST # 14, page 8) 




Requirements: 

Apple ][ 
Super IOB 



When I first encountered Seadragon, like most people, I was fairly 
impressed by its animation and sound routines. However, I didn't 
play it too often because I was not able to back it up, and I don't 
like using originals. 

The program boots very much like a normal disk. You can get 
a good copy up to the title page with any bit-copier, but when you 
try to run the game, it will load and then start to do a strange thing. 
It sounds as if the disk drive is having a spasm, continually moving 
from track $0 to track $22 until you hit Preset] or turn the machine 
OFF. But the designers have nicely set the reset vector so that you 
cannot stop the reboot by repeatedly hitting fRlsfrl . 

Count Nibble and Friends 

The program is actually doing a funny kind of nibble-count. If 
you look at track $22 with a nibble-editor, you will see a repeating 
pattern of FF's and DD's. This pattern is what the copy-protection 
looks for, and it is fairly hard to copy. I found that Copy II Plus 
will do it on default parameters if you fiddle with your drive speed. 

Once I was able to copy the disk, I started to really get into the 
game. There, I ran into another old enemy, the Arcade Mentality: 
the game is just too difficult. I felt I had been let down, and started 
thinking about how I could get some satisfaction from the game. 
That's when I thought about modifying it, which means first 
removing the copy-protection. 
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The protection on this disk comes in stages. First, the End-of- 
data marks have been changed from DE AA to AA DE. The DOS 
is very much like normal DOS, and to allow it to read the different 
marks, the read-error-routine has been turned off. Pretty clumsy, 
right? The only sector on the disk without these different marks is 
the one used to store high scores, track 3, sector 0. In any case, 
I dealt with this problem by writing a Super IOB controller which 
fits these requirements. 

The disk's DOS does not need to be changed to read the new, 
unprotected format, but I wanted to normalize the disk as much as 
possible, so I made the Super IOB controller edit track 0, sector 
3 as shown in the list below. 

The next problem was the nibble-count. Since the disk was now 
easily read with a sector-editor, I reasoned that it should be possible 
to locate the nibble-count-routine and turn it off. I found this routine 
at track $19, sector $0E. 

Unscrambling 

But the Protectors hadn't finished yet. After I turned off the nibble- 
count, I booted the copy. The game started to run and then some 
very funny things happened. The mines seemed to be all over the 
place. And when I got far enough into the cave, the game simply 
hung. There is an area that is used for game data at $9500 which 
seems to get scrambled when you turn the nibble-count off. But the 
routine that does this can be found at track $19, sector $08. 

Now the game seemed to run perfectly, and continued to do so 
just as long as I never used torpedoes. Well that certainly wasn't 
much fun. Another routine had been activated that was forcing an 
early link to the next level, that is, the end of the cave where you 
meet the Seadragon. When I pushed the torpedo button, this part 
of the game loaded and I was actually able to play it. You might 
want to try this just for fun if you've never seen the Seadragon. 
The routine that messes up this part of the game is at track $15, 
sector $0E. 

After I located and turned off these routines, I found that the game 
ran normally except that it took slightly longer to load. This was 
simply due to the fact that I had turned the read-error-routine on. 

So to make a working, COPYA-able copy, load Super IOB and 
install the controller listed at the end of this article. Next, run it 
on Seadragon. The controller will make these sector changes: 

Track: $00 $00 $00 $00 $19 $19 $19 

Sector: $03 $03 $03 $03 $0E $08 $0E 

Byte: $36 $37 $3F $40 $00 $25 $E7 

From: $EA $EA $00 $D0 $4C $A2 $A9 

To: D0 $0A $AA $F0 $60 $60 $60 
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The Advanced PL 



Technique! 



There are lots of things out to get you in this game. Using the 
list I have compiled, you can now customize the game so that the 
more insidious ones just disappear. There are also a few irritating 
noises, which may now be turned on and off at will. I suggest, 
however, that you make a backup of your new copy before you get 
too carried away. 

APT type Track Sector Byte From To 



Stop voice game start 


$04 


$02 


$B8 


$AD 


$60 


Stop sub explosion sound 


$16 


$0D 


$DF 
$E0 
$E1 


$AD 

$30 
$C0 


$EA 
$EA 
$EA 


Stop irritating noise 


$17 


$07 


$8F 
$90 
$91 
$BD 
$BE 
$BF 


$AD 

$30 
$C0 
$AD 
$30 
$C0 


$EA 
$EA 
$EA 
$EA 
$EA 
$EA 


Mine speed ($00= off) 


$14 


$0C 


$DE 


$05 


$00-$09 


Eel speed ($FF=off) 


$14 


$08 


$0B 


$04 $00-$FF 


Seaweed speed ($FF=off) 


$14 


$09 


$59 


$01 


$00-$FF 


Seaflea speed ($00= stop) 


$14 


$06 


$15 


$02 


$00-$02 


Stalactite speed ($0=stop) 


$14 


$07 


$47 


$04 


$00-$09 


Turn OFF force field 


$14 
$15 


$0A 

$07 


$33 
$62 


$46 
$05 


$00 
$00 


Turn OFF shooters 


$14 


$0A 


$E3 


$01 


$FF 


Unlimited damage 


$18 


$0B 


$6E 

$6F 
$70 


$8D 

$2E 
$43 


$EA 

$EA 
$EA 


Unlimited air 


$18 


$0B 


$32 


$01 


$00 


Free sonic disruptor 


$18 


$0B 


$59 


$05 


$00 


ot 


her Stuff 









The main portion of the game is on tracks $12 to $19. After the 
sub blows up, the game restarts at $8868. The actual amount of 
air you have is stored at $432B— $432C. Damage is at $432E. There 
are many other interesting locations, including $4DB0 and $57F3. 
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How I Did It 

Most of the detective work I had to do to de-protect this disk was 
done with the aid of my Replay II card and Nibbles Away II. Replay 
allowed me to enter the Monitor at any time and look at the code. 
When I found a suspicious looking routine, I searched the disk using 
the disk-scan utility in the sector-editor part of Nibbles Away II. 
After locating the routine, I was able to disassemble it from within 
the sector-editor, make a calculated change, and boot the copy to 
see what, if anything, had changed. 

Closing Remarks 

I found that being able to control the game really increased my 
enjoyment of it. For example, I was having a lot of trouble figuring 
out how to get past the Seafleas, so I turned everything else off so 
that I could concentrate on them alone. You may want to turn 
everything off just to try navigating the cave from beginning to end. 
Have fun. 



controller 

1000 REM SEA DRAGON CONTROLLER 

1010 TK = :ST = : LT = 34 :CD = WR 

1020 Tl = TK : GOSUB 490 : RESTORE : GOSUB 170 

1030 GOSUB 430 : I F ST = 1 AND TK = 3 THEN RESTORE : GOSUB 170 

1035 GOSUB 100 : ST = ST + 1 : I F ST < DOS THEN 1030 

1040 I FBF THEN 1060 

1050 ST = :TK = TK + 1 : I F TK = 3 THEN GOSUB 230 

1055 I F TK < LT THEN 1030 

1060 GOSUB 230 : GOSUB 310 : GOSUB 490 :TK = Tl :ST = 

1070 GOSUB 430 : GOSUB 100 :ST = ST + 1 : IF ST < DOS THEN 1070 

1080 ST = :TK = TK + 1 : IF BF = AND TK < LT THEN 1070 

1090 I F TK < LT THEN 1020 

1100 HOME : PRINT "DONE* WITH* COPY" : END 

5000 DATA 222 ,170 ,170 ,222 

5010 DATA 7" CHANGES 

5020 DATA 25 ,14 ,0 ,96 ,25 ,8 ,37 ,96 

5030 DATA 21 ,14 ,231 ,96 

5040 DATA ,3 ,54 ,208 ,0 ,3 ,55 ,10 

5050 DATA ,3 ,63 ,170 ,0 ,3 ,64 ,240 



i 



The Book Of Softkeys Volume III 81 



I Sensible Speller IV | 

^^ Sensible Software jjjj 

■ Sensible Speller IV: UPDATE ||| 
^^ by Doni G. Grande ^s 

■ (Hardcore COMPUTIST # 11, page 24) 




Requirements: 

Apple ][ or Apple ][ Plus 

16K RAM card 

(If you don't have a RAM card, see note at end of article) 

Blank disk 

Any DOS track-copy program 



Editor's Note: The softkey that was published in The Book Of Softkeys 
Volume n (Hardcore COMPUTIST # 9 for Sensible Speller IV was based 
upon revision 4. 0d and, unfortunately, would only work correctly on that 
revision. Apparently there have been many minor revisions (over a dozen) 
to Sensible Speller and most of these revisions have changed the program 
to the extent that it no longer has the same startup point nor does it occupy 
the same memory range. If the former softkey is attempted on these revised 
versions, the results are usually disappointing: the copy will either hang 
up after loading the Sensible Speller logo or will give a CHECKSUM 
ERROR message when the main menu appears. Don 't despair, though, 
because with some modifications to one of the programs 
(SPELLER. LOADER) presented in the original article the softkey can 
be performed successfully on any revision of Sensible Speller IV (at least 
up to revision 4.2b anyway). 

What It Does 

Let us first delve a little deeper into what the original softkey 
does. This demonstrates an excellent use for a RAM card. A little- 
realized fact about RAM cards is that they completely ignore the 
Ireseti key. When power is first applied to the Apple, the RAM 
card's own Ireseti circuitry is set to certain power-up defaults. 
After that, whenever it is enabled by use of the soft switches (see 
the manual that came with the card if you do not know about soft- 
switches), it keeps control until it is specifically turned off. That 
is why it was possible to reset into the Monitor in the original softkey 
by just using the RAM card. This technique is normally possible 
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only with an Integer card or modified F8-ROM! Those of you out 
there cursing your lack of an Integer card should note the use of 
the RAM card here. 

To determine why the original softkey works (at least on 4.0d), 
get out your copy of The Book Of Softkeys Volume II or 
Hardcore COMPUTIST # 9 and follow along. 

First, the RAM card is moved to slot one, which is a non-standard 
slot. As mentioned in the article, most software only looks in slot 
zero for a RAM card, so it is effectively hidden by moving it to 
slot one. Also, as mentioned above, once the RAM card has control 
of the Apple, not even Ireset] will make it let go! So an active 
RAM card in slot one is not likely to be disabled by software and 
has the full power of a 'normal' (slot zero) RAM card. 

Next, a disk with a somewhat modified DOS is made. This 
modification consists of a 'patch' in the $B6 page of DOS (A page 
of memory is 256 locations, which works out in hexadecimal to mean 
that the first two digits of the address do not change. Hence, page 
$03 refers to $0300— $03FF). Page $B6 ($B600-$B6FF) resides 
on the disk on track $0, sector $0 and is the first sector to be read 
into memory when a disk is booted. It is read into memory page 
$08 where, upon execution, it normally reads track $0, sectors $0 
through $9 into memory at $B600— $BFFF. This the portion of DOS 
containing the RWTS (Read/Write Track & Sector) which is 
responsible for all the gory details of disk operation. Track $0, sector 
$0 is re-read into page $B6 so that RWTS has something to put on 
the disk so that it can boot. The patch made to the $B600 area in 
the original softkey enables a RAM card in slot zero, copies the 
motherboard language into it, sets up a location on page $02, and 
then jumps to another patch at $B700. 

The patch at $B700 is installed in step 7 of the softkey. This is 
the real core of the procedure since this patch loads Sensible Speller 
into memory from the disk when it is booted. The SPELLER. SA VER 
routine in the former article stores the menu and utilities on the disk 
in a certain way. The following table is a track/sector map of the 
first seven tracks and their respective memory locations. 



Track:-* 


1 


2 


3 


4 


5 6 7 


Sector:! 00 


B6 0B 


X 


X 


IB 


2B 40 50 


01 


B7 0C 


X 


X 


1C 


2C 41 51 


02 


B8 0D 


x 


X 


ID 


2D 42 52 


03 


B9 0E 


x 


X 


IE 


2E 43 53 


04 


BA0F 


X 


X 


IF 


2F 44 54 


05 


BB 10 


X 


X 


20 


30 45 55 


06 


BC 11 


X 


X 


21 


31 46 56 


07 


BD 12 


X 


X 


22 


32 47 57 


08 


BE 13 


X 


X 


23 


33 48 58 


09 


BF 14 


X 


X 


24 


34 49 59 


0A 


71 15 


X 


X 


25 


5 4A 5A 



The Book Of Softkeys Volume III 83 



The hi-res Sensible Speller logo is stored on tracks $6 and $7. 
The first thing that the patch at $B700 does is to display hi-res page 
two ($4000— $5FFF) and load this logo from the disk. Then, 
$0800— $3A00 is loaded from tracks $0— $5 (in reverse order), 
skipping over tracks $2 and $3 which are not used by the copy 
routine. Page $3 is loaded from track $0, sector $0C and then $7700 
and $7100 are loaded from track $0, sectors $0B and $0A 
respectively. I assume that $7700 must be used in some way by 
Sensible Speller 4.0d; later versions do not use it. Page $71 was 
used by the Ireseti trap routine to store page $0. All the important 
parts of memory are restored to their original contents when the 
disk is booted. The last task of the patch at $B700 is to restore zero 
page and jump to the Speller program. This patch is stored to the 
disk on track $0, sector $1 in steps 8 through 10. Then, $0800 to 
$3A00 is loaded from tracks $0, $ 1 , $4 and $5 with the use of the 
normal DOS RWTS. 

Getting back to the original procedure, next the unprotected tracks 
($2— $3 and $6— $22) on the original disk are copied with a bit- 
copier or by Super IOB. Then, the SPELLER. SAVER routine is 
patched into the RAM card, the original disk is booted, and QUID 
is pre ssed. The patch entered in step 17 saves page $0 at $7100 when 
I reset! is pressed, allowing the SPELLER. SAVER routine to save a 
complete snapshot of memory to disk. When the SPELLER . SAVER 
program is run (D000G in step 22), it writes the important areas 
of memory to disk at the tracks and sectors shown in the preceeding 
table. When the disk is booted, Sensible Speller is loaded back into 
memory and started. 

What Goes Wrong 

I found that on later revisions of Sensible Speller the menu and 
utilities take up two or three more pages of memory than the original 
softkey saves to disk. If the entire menu is not present in memory, 
the copy of Sensible Speller will print a CHECKSUM ERROR 
message when the menu appears. The SPELLER . SAVER program 
saves the menu and utilities to the unprotected disk on tracks $0, 
$1, $4 and $5, but I found out that the same code also exists on 
tracks $8 through $B which are copied during step 1 1 of the softkey. 

Another problem with the original softkey is that the entry point 
of $33D9 is correct only for 4.0d. Each of the revisions seems to 
have a different entry point and if the entry point is not correct, 
the copy will usually just load in the Sensible Speller hi-res logo, 
switch to the text screen and then hang. 

One thing to notice about an original copy of Sensible Speller 
is tha t the program will always return to the main menu if the 
I Reset | key is hit (at least with an autostart F8-ROM). This is a clue 
that the reset vector at $3F2 somehow points to the correct menu 
entry point. Because the original softkey saves page $03 on track 
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$0, sector $0C, the values in the Ireset] vector can be viewed with 
a sector-editor. The values in $3F2— $3F3 turn out to be $F8 03, 
which points at $03F8. At $3F8 the Assembly language instruction 
reads JMP ($004E) which is an indirect JMP to the values at 
$4E— $4F. Therefore, for all versions of Sensible Speller to work 
correctly, the last thing the SPELLER. LOADER program should do is 
to perform a JMP ($004E). 

The modifications I have made to the SPELLER. LOADER program 
load the menu and utilities from tracks $8— $B into memory at 
$0800— $3FFF. Some of these sectors on track $B may or may not 
be needed but the program loads them in regardless so that the 
procedure will work with all of the different revisions. Another 
modification I made was to have the SPELLER. LOADER program lay 
track $2, sector $0F over page $09 in memory where the setup is 
contained. This ensures that the latest setup is used each time the 
disk is booted. Finally, my modified SPELLER. LOADER program 
performs the JMP ($004E) to enter the menu. 

Note: This assumes that you have already tried making a copy 
using the sqftkey from the previous Book Of Softkeys (Hardcore 
COMPUTIST # 9). This non-working copy will work if you: 

| 1 | Boot the DOS 3.3 master disk. 

| 2 I Insert the copy disk made using the original procedure, then 
enter the Monitor and type in this hexdump: 

CALL -151 

B700: 2C 50 CO 2C 57 CO 2C 52 
B708: CO 2C 55 CO A9 OF 8D ED 
B710: B7 A9 07 8D EC B7 A2 01 
B718: 8E EA B7 CA 8E F0 B7 A9 
B720: 5F 8D Fl B7 20 7F B7 AD 
B728: Fl B7 C9 40 B0 F6 A9 0B 
B730: 8D EC B7 A9 07 8D ED B7 
B738: 20 7F B7 AD Fl B7 C9 08 
B740: B0 F6 A9 03 8D Fl B7 A9 
B748: 00 8D EC B7 A9 0C 8D ED 
B750: B7 20 7F B7 A9 77 8D Fl 
B758: B7 20 7F B7 A9 71 8D Fl 
B760: B7 20 7F B7 A9 02 8D EC 
B768: B7 A9 OF 8D ED B7 A9 09 
B770: 8D Fl B7 20 7F B7 AD 51 
B778: CO AD 54 CO 4C 9C B7 A9 
B780: 01 8D F4 B7 A9 B7 A0 E8 
B788: 20 B5 B7 CE ED B7 10 08 
B790: A9 OF 8D ED B7 CE EC B7 
B798: CE Fl B7 60 A2 00 BD 00 
B7A0: 71 95 00 E8 DO F8 6C 4E 
B7A8: 00 
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If you want to save this program in the event of an error: 
BSAVE SPELLER.LOADER.MOD,A$B700,L$A9 

I 3[ Use RWTS to write page $B7 to track $0, sector $0: 

803:A9 B7 AO E8 4C B5 B7 
B7EB:00 00 01 
B7F0:00 B7 00 00 02 
803G 

The disk will now boot and work normally. 

If you have not tried the softkey from The Book Of Softkeys 
Volume II (Hardcore COMPUTIST #9), just use the 
SPELLER. LOADER. MOD from this article in place of the original 
SPELLER. LOADER. The rest of the steps in the original article can be 
followed without modification. 



SPELLER.LOADER.MOD source code 


1100 
1110 






SPELLER.LOADER.MOD 


1120 


Loads what used to be part of Sensible Spel ler bootcode 


1130 


Mod i f i cat 


ion to SPELLER. LOADER original ly printed in 


1140 


Vo 1 ume 1 1 


of The Book Of Softkeys (Hardcore COMPUTIST 19) 


1150 


and works 


on SensibleSpel ler IV up to revision 4.2b. 


1160 






1170 


Note that 


some code was rearranged to make room for the 


1180 


new code. 


The free space for patches is $B700-$B7B4. 


1190 


RWTS entry at $B7B5must not be disturbed! 


1200 
1210 


* 






.OR$B700 


1220 




.TF SPELLER.LOADER.MOD 


1230 


* 




1240 


*D0S3.3RWTSParmlist 


1250 


* 




1260 


DRIVE 


.EQ$B7EA 


1270 


TRACK 


.EQ$B7EC 


1280 


SECTOR 


.EQ$B7ED 


1290 


BUFHI 


.EQSB7F1 


1300 


COMMAND 


.EQ$B7F4 


1310 


RWTS 


.EQ$B7B5 


1320 


* 




1330 


* Display Hi-res page 2 


1340 


» 




1350 




BIT $C050 


1360 




BIT $C057 


1370 




BIT $C052 


1380 




BIT $C055 
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1390 


* 




1920 


* 




1400 


* Load the SS logo 


1930 




LDA #$ 71 


1410 


* f roml 


tracks 6 & 7 


1940 




STABUFHI 


1420 


* 




1950 




JSR READ 


1430 




LDA #$0F 


1960 


* 




1440 




STA SECTOR 


1970 


♦Overl 


ays the setup 


1450 




LDA #$07 


1980 


♦ code over pg $09 


1460 




STA TRACK 


1990 


♦ from 


trk $2, set $F. 


1470 




LDX #$01 


2000 


* 




1480 




STX DRIVE 


2010 




LDA #$02 


1490 




DEX 


2020 




STA TRACK 


1500 




STX BUFHI-1 


2030 




LDA #$0F 


1510 




LDA #$5F 


2040 




STA SECTOR 


1520 




STABUFHI 


2050 




LDA #$09 


1530 


LOOP 1 


JSR READ 


2060 




STABUFHI 


1540 




LDABUFHI 


2070 




JSR READ 


1550 




CMP #$40 


2080 


* 




1560 




BCS LOOP1 


2090 


♦ Set the screen to text 


1570 


* 




2100 


♦ page 


1 and exit. 


1580 


* Load 


nenu-uti Is from 


2110 


* 




1590 


* trks $8-$B into mem 


2120 




LDA $C051 


1600 


*$0800-$3FFF. 


2130 




LDA $C054 


1610 


* 




2140 




JMP EXIT 


1620 




LDA #$0B 


2150 


* 




1630 




STA TRACK 


2160 


♦ READ mod if ied to dec. 


1640 




LDA #$07 


2170 


♦BUFH 


after each read 


1650 




STA SECTOR 


2180 


♦ to save code space 


1660 


LOOP 2 


JSR READ 


2190 


* 




1670 




LDABUFHI 


2200 


READ 


LDA #$01 


1680 




CMP #$08 


2210 




STA COMMAND 


1690 




BCS LOOP2 


2220 




LDA #$B7 


1700 


* 




2230 




LDY #$E8 


1710 


♦Load 


pg $03 from 


2240 




JSR RWTS 


1720 


* trk $0, sct$0C. 


2250 




DEC SECTOR 


1730 


* 




2260 




BPL RTS1 


1740 




LDA #$03 


2270 




LDA #$0F 


1750 




STABUFHI 


2280 




STA SECTOR 


1760 




LDA #$00 


2290 




DEC TRACK 


1770 




STA TRACK 


2300 


RTS1 


DEC BUFH 1 


1780 




LDA #$0C 


2310 




RTS 


1790 




STA SECTOR 


2320 


* 




1800 




JSR READ 


2330 


• Restore pg$0 frm$7100 


1810 


* 




2340 


* and jump toSS IV entry 


1820 


♦Get $7700 from trk $0 


2350 


* 




1830 


* set $B. This may not be 


2360 


EXIT 


LDX #$00 


1840 


* needed for your rev. 


2370 


LOOP3 


LDA $7100, X 


1850 


* 




2380 


STA$0,X 


1860 




LDA #$77 


2390 


INX 




1870 




STABUFHI 


2400 


BNE LOOP3 


1880 




JSR READ 


2410 


* 




1890 


* 




2420 


* JMP 


ndi rect to Menu 


1900 


♦Get $7100 (SS page $0) 


2430 


* 




1910 


♦ from 


trk $0, sct$A. 


2440 




JMP ($004E) 
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No RAM card? 

Readers who wish to make a back up of Sensible Speller IV but 
who do not have a removable RAM card should refer to page 82 
of The Book Of Softkeys Volume II or Hardcore 
COMPUTIST # 10, page 6. 

The procedure described in that article doesn't require a RAM 
card but does require that the entry point to the Sensible Speller 
menu be known for the particular revision being backed up. 

Entry points for revisions 4.0c and 4. lc were given in the article 
and we have since learned the menu entry points for several other 
revisions. The table below gives the menu points for several different 
revisions currently in circulation. 

The correct entry point should be used in line 1070 of the source 
code or at address $B791— $B792 of the object code. 

If you don't have one of the versions listed try using an entry 
point of $0800. 

Revision Entry Point 



4.0c 


$33B8 


4.0d 


$33D9 


4.0h 


$351 A 


4.0i 


$3538 


4.0j 


$3522 


4.1b 


$3514 


4.1c 


$3517 


4.2a 


$3584 


4.2b 


$3586 
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Snooper Troops Case #2 

Spinnaker Software 

Deprotecting Snooper Troops (Case #2) 

by Jim Mitchell 
(Hardcore COMPUTIST #13, page 7) 




Requirements: 

Apple ][ 

One blank diskette 
DOS 3.3 System Master 
Super IOB 



Snooper Troops Case #2 is an educational game by Spinnaker 
Software for ages 10 to adult. This game and Snooper Troops I are 
copy-protected in exactly the same way and cannot be backed-up 
using the usual copy programs. However, they can be transformed 
into COPY A form without too much difficulty. 

The copy -protection consists of changing the address-field-header 
from $D5 AA 96 to $BB AA 96, and leaving track $09 empty 
(actually filled with $FF's). When Snooper Troops is copied with 
Locksmith or Copy II Plus, the disk will boot and send you off to 
track $09 where you will stay until you boot another disk. To change 
this program into the friendlier COPYA form, all you need to do is 
use a Super IOB controller to read the address-field-header as $BB 
AA 96, and write the track back onto an empty disk with the normal 
$D5 AA 96 address-field-header. When all the tracks have been 
transferred to the new disk, DOS 3.3 will be written onto the disk 
using the MASTER CREA TE program from the System Master diskette. 
You should then have an unprotected copy of Snooper Troops, Case 
#2, which you may examine or modify at your leisure. 

Procedure: 

| 1 | Type in and save the Super IOB controller at the end of 
this article. 

[ 2 | Save the program in case of an error. I also suggest that 
you write-protect your original copy of Snooper Troops to protect 
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it during this procedure, but be sure to remove it before running 
the program or it will not run properly. 

I 3 | Run Super IOB and follow the prompts that the program 



will display on your monitor. Note that your drive will make noise 
when reading tracks $00 and $09. Do not interrupt the procedure. 
Just ignore the noise if possible; it will not affect the finished product. 
Also, note that tracks $00— $02 will not be copied. 

[ 4 | When the copy is completed, remove the original copy of 
Snooper Troops and place it in a safe location. 

I 5 I Insert your System Master diskette and execute the MASTER 
CREA TE program. 

BRUN MASTER CREATE 



6 I When asked for the name of the greeting program, type 



HELLO. 



7 I Now insert your new copy of Snooper Troops that you just 



made with Super IOB and press I return | . DOS 3.3 will now be 
written onto the disk and, when the disk is booted, the HELLO 
program will automatically run. 

You may now CATALOG the disk, examine the program, and 
modify it if you like. You may also copy the new disk using COPY A 
or any other copy program. 

Note:This program will also allow you to make a backup copy of Snooper 
Troops, Case #1. 1 have not attempted to use it on any other programs from 
Spinnaker Software, but I suspect that it might work on some of them. It 
will also work on Piece of Cake, an educational math program by Counter 
Point Software, which I found to have a nearly identical protection scheme. 
No changes to the program are necessary. 

controller 

1000 REM SNOOPER TROOPS 

1010 TK = 3 :ST = : LT = 35 :CD = WR 

1020 Tl = TK : GOSUB 490 : RESTORE : GOSUB 190 

1030 GOSUB 430 : GOSUB 100 : ST = ST + 1 : I F ST < DOS THEN 1030 

1040 I FBF THEN 1060 

1050 ST = :TK = TK+1 : IF TK = 9 THEN TK = 10 

1055 IF TK< LTTHEN 1030 

1060 GOSUB 230 : GOSUB 490 :TK = Tl :ST = 

1070 GOSUB 430 : GOSUB 100 : ST = ST + 1 : IF ST < DOS THEN 1070 

1080 ST = :TK = TK+1 : IF TK = 9 THEN TK = 10 

1085 I F BF = AND TK < LTTHEN 1070 

1090 IF TK< LT THEN 1020 

1100 HOME : PRINT : PRINT "DONE'WITH'COPY" : END 

63010 DATA 187 ,170 ,150 
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SoftPorn Adventure 

Sierra OnLine Systems 

Softkey For SoftPorn Adventure 

by Wes Felty 
(Hardcore COMPUTIST #11, page 6) 




Requirements: 

Apple ][ Plus 

One blank disk 

Copy II Plus or... 

MUFFIN from your DOS 3.3 System Master 



After several sojourns into the semi-sleazy world of Sierra On- 
Line 's SoftPorn Adventure, I attempted to SAVE a game in progress, 
but was only rewarded with an I/O ERROR. I then decided that this 
disk needed to be moved to a normal DOS. The steps are quite simple 
and illustrate some of the basic steps for de-protecting many other 
programs. 

First of all, this program is bootable under either DOS 3.2 or 
DOS 3.3. For many disks like this, all it takes to break the basic 
protection scheme is to MUFFIN the file over to a normal DOS 3.3 
disk. On SoftPorn Adventure, however, there are some other fairly 
simple protection schemes which also have to be removed. 



Conversion to Normal DOS 

You will need a formatted DOS 3.3 disk to copy the SoftPorn 
files onto so you should INIT a blank disk if you don't already have 
one at hand. Then, either BRUN MUFFIN from the DOS 3.3 System 
Master or the normal copy mode of COPY II Plus. If you use COPY 
II Plus, set the source disk to DOS 3.2 and the destination to DOS 
3.3. Copy (or^FF//V)allfilesexcept/£i£OtotheDOS3.3diskusing 
the wildcard character ( = ). 

Unusual File Names 

An old method of protecting files on a disk was to include control 
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characters within the name or the use of characters that couldn't 
be entered from the keyboard. 
The files are: CHAIN, HELLO, ///, ////, __, , and 

Modern copy programs such as Copy II Plus have no trouble 
displaying titles like this or copying the programs. The Apple //e 
allows direct entry of these characters, but on an Apple It or Apple 
][ Plus about the only way to get control characters and characters 
not on the keyboard is to do a CATALOG and then use |esc| . [JJ, 
and ED to trace over the file names. Of course, if you have a disk- 
editor you can use it to change the file names directly on the directory 
sectors, although I would not recommend doing this to an original 
disk. The use of the wildcard character when transferring files with 
FID eliminates the any problems caused by file names. 

I recommend that you do NOT rename the files on the SoftPorn 
Adventure disk. If you wish they can be easily LOADed and LISTed 
by CATALOGing and using I esc | . (JJ and ED • If you change the 
names then you will also have to change the names inside the 
programs: 

A / shows up in a program as LOG and _ shows up as SIN. 

In , lines 550, 560, and 580 refer to////. Lines 520, 530, 

and 540 refer to and line 610 refers to . 

In program , line 201 1 refers to ///. Line 5 10 in the program 

///refers to __. 



Nibble Count 

SoftPorn's first line of defense actually isn't its DOS, but the use 
of a nibble-count. Checking through the Hello program, I found 
that its only real function was to perform the nibble-count. 
Therefore, don't bother copying it or delete it after transfer. On 
your new disk: 

RENAME , HELLO 

LOAD HELLO 

Now delete line 347 which again checks the nibble-count: 

347 

SAVE HELLO 



The Reset Vector 

The last step in the deprotection of this program is the disabling 
of the 'on reset, boot...' command. To do this: 

LOAD HELLO 
LIST0.1 
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Delete the POKE 1011,0 and the POKE 1012,8 commands. 
These POKEs set up the reset vector so that it will boot when 
Ireset) is pressed. 

SAVE HELLO 

You have a fully broken SqftPorn Adventure. 

Advanced Pornography Technique? 

The deprotected SoftPorn Adventure disk works just like the 
original, except that you can now save a game in progress, even 
onto the game disk itself. Just ignore the prompts to switch disks. 

You may also list the BASIC programs by LOADing them using 
the E3to retype. 

You can also read the Text files using Copy II Plus's "VIEW 
FILES/TEXT" option for some clues for playing the game. 

You can even I reset | from within a game, give yourself a 
million dollars (type M = 10900 I return | ). then type CONT PjetOrnI 
to get back into the game. 

One final clue for the game. As the serpent told Eve: "One man's 
garbage is another man's gain." 

Recapping, here are the necessary steps for making a backup of 
SoftPorn Adventure. 

I Tl Use MUFFIN from the DOS 3 . 3 Master disk to transfer all the 



files except HELLO from the original SoftPorn Adventure over to a 
formatted DOS 3.3 disk. Use the wildcard character 
( = ), with prompting, when making the transfer: 

BRUN MUFFIN 

Alternatively, the normal file transfer utility from Copy II Plus can 
be used if the original DOS is set to 3.2 and the copy DOS is set 
to 3.3. 

I 2 I On the copied disk: 

RENAME .HELLO 

If you have an Apple 11 or Apple ][ Plus you will need Copy II 
Plus or a disk-editor to change the file name. CATALOGing the 
disk and then using [HD, (T], and [JJ will also work. 

I 3 | Removes the nibble count check from the HELLO program: 

LOAD HELLO 

347 

POKE 34,0: POKE 35,24: CLEAR 

SAVE HELLO.ECD 



a 
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Stickybear series 

Xerox Educational Software 



Stickybear Softkey 

by Jerry Caldwell 
(Hardcore COMPUTIST # 15, page 10) 




Requirements: 

Apple ][ Plus or equivalent 

Blank disks 

Disk Search Utility (Inspector, ZAP, etc.) 

COPY A from the DOS 3.3 System Master 

Copycard or Integer card (optional) 



For those who have looked into the excellent Stickybear series, 
the disks can be read by a normal sector editor or copied by COPY A 
with the exception of one sector. The protection scheme is based 
solely upon the data residing on this one sector. On the different 
programs in the series, the location of this protection will vary, but 
it is generally sector $0F on track $01 or $02. This sector is checked 
at various intervals to validate the presence of the original Stickybear 
disk and, as many of you probably know, is very hard to duplicate 
even with the latest bit-copy programs. 

Analysis of the booting process reveals that various tracks are 
loaded into memory, and then a jump is taken to a sequence of 
machine language instructions that are nearly identical on several 
of the Stickybear disks. In this series of instructions, an IOB 
(Input/Output Block, see pages 94-98 of the DOS 3.3 Manual or 
Chapter 6 of Beneath Apple DOS) is created for reading the protected 
sector. Next, a subroutine which alters the RWTS 'post-nibblization' 
routine (used to convert the 6-x-2 -encoded nibbles read from the 
disk into 8-bit bytes) at $B8C2 is called. This change to the post- 
nibblization routine makes the first instruction of it a jump to a 
different post-nibblization routine located on hi-res page 2 (at $4E9F 
on Stickybear Bop). When the RWTS is called, the protected sector 
is read into memory. To restore the post-nibble routine to its original 
form, a second call is made to the routine which changed it in the 
first place. 
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The technique for producing a backup is as follows: 

Using a modified COPYA , the original disk will be copied, ignoring 
the the read-error on the protected sector. 

The COPYA-ed backup will then be searched with a disk-search 
utility for the code which reads the protected sector. Once this code 
has been found, the memory where the protected data is read into 
must be identified by examining the code which sets up the IOB. 

The original Stickybear disk is then booted up, allowed to read 
the protected sector into memory and the program is then halted 
by an old Monitor |reset| , an NMI card, or by modifying one of 
the copies of the disk. This translated data can then be recovered 
and written back to the proper sector on the COPYA-ed disk with a 
sector-editor. 

Finally, because this sector on the backup will no longer be 
protected, the routine which alters the post-nibblization routine must 
be disabled. 

Modifying COPYA 

As pointed out in the documentation for Bag of Tricks, COPYA 
can be modified to permit disks with I/O errors to be copied (except 
for the sectors which are unreadable). This can be done by changing 
byte $E1 of file COPY. OB J lo an $EA (NOP instruction). The 
procedure to do this is as follows: 

First, insert the disk with COPYA on it and load the COPY. OBJ file: 

BLOAD COPY.OBJ 

Alter COPY. OBJ so that it will ignore unreadable sectors: 

POKE 929 ,234 

And resave it on another disk: 

BSAVE COPY.OBJO,A$2C0,L$1OB 

Note: BSAVE this to another disk which contains the Applesoft 
program COPYA , unless you want to have the modified version on your 
System Master. 

Now, run the modified COPYA and, when prompted, copy the 
original disk to a blank. You should hear the drive recalibrate twice 
when it comes across the protected sector. If you do not have any 
means of resetting into the Monitor, make two copies of the 
Stickybear disk at this time. 

The backups made with the altered COPYA will be almost identical 
to the original now, except that they will not work. The sector that 
is protected on the Stickybear original will be formatted, but will 
contain no data. We will rectify this situation shortly. 

The next step in creating the backup is to locate the sector which 
contains the instructions for setting up the IOB to read the protected 
sector. These instructions are as follows: 

The Book Of Softkeys Volume III 95 



A9» 


LOA #$ff 


Track wi th protected sector 


8D EC B7 


STA $B7EC 


Store it in the I0B 


A9h 


LDA Uss 


Protected sector 


8D ED B7 


STA $B7ED 


Put it in the I0B, too 



You will need a disk-search utility like ZAP or Inspector to search 
the backup for the instruction STA $B7EC (8D EC B7). This code 
could be located almost anywhere on the disk, but tracks $1, $2 
and $1 1 are likely candidates. Once you find this code, disassemble 
the sector and look for some more code which has the form: 



A9 II 


LDA #$// 


Low byte of data buffer 


8D F0 B7 


STA $B7F0 


Store it in the I0B 


A9M 


LDA #$Mi 


High byte of the data buffer 


8DF1B7 


STA $B7F1 


Store it in the I0B 



This set of instructions will indicate to you the location in memory 
that the protected sector will be read into. For example, if the code 
you find reads: 

A9 00 LDA #$00 

8D F0 B7 STA $B7F0 

A9 03 LDA #$03 

8D Fl B7 STA $B7F1 

then the protected sector will be read into memory starting at address 
$300. However, different Stickybear programs will store the data 
at different locations. Make a note of whatever address you decide 
that the protected sector is being loaded into. 

Next, disassemble a little bit further and look for the next three 
JSR's. (Note: On some programs in the Stickybear series, the three 
JSR's will be on a sector adjacent to the one where the code which 
sets up the IOB is found). You should find a JSR $B7B5 which is 
sandwiched between two other JSR's to the same address. The call 
to $B7B5 is the main entry point to RWTS and the other two JSR's 
call the routine which alters the post-nibblization routine. The first 
call to the routine will alters the post-nibble routine before reading 
the protected sector and the second call to the routine restores it 
back to its normal form. 

Just past the second call to the table-alteration routine you should 
see the instructions: 

60 RTS 

A2 00 LDX #$00 

The RTS marks the end of the routine which reads the protected 
sector and the LDX #$00 is the first instruction of the code 
responsible for altering the post-nibble routine. Later, we will negate 
this subroutine by storing a $60 in the place of the $A2 so that no 
alteration of the post-nibble routine will occur when it is called. 
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Recovering the Data 

The data on the protected sector can be recovered in one of two 
ways. The first method requires an old Monitor F- ROM or NMI 
card so that the running Stickybear program can be interrupted. If 
you do not have any means of halting the program, then you will 
have to use the second, brute force method. I'll describe the easy 
method first. 

The Easy Way 

The |reset| method of recovering the data is very straight- 
forward. First, the original Stickybear program is booted up and 
allowed to read the protected sector. The program is then halted 
and the portion of memory that the data was read into is moved 
to a 'safe' location in memory before booting up a DOS 3.3 slave 
disk. The translated data from the protected sector can then be saved 
onto disk for later use. For instance, if you discover that the protected 
sector is being read into $300, boot up the original Stickybear disk, 
halt the program after itJias started running and from the monitor 
type: 

9000<30O.3FFM 

C600G (After inserting a DOS 3.3 slave disk) 

BSAVE PROTECTED SECTOR,A$9000,L$100 

The data from this sector will later be written to a backup copy of 
the Stickybear disk. 

The Hard Way 

Lacking an Integer or NMI card, we must alter one of the backups 
we have made to allow us to boot the backup, wait for us to insert 
the original, read the encoded sector and then exit to the monitor. 

Earlier in the article the 'JSR sandwich' responsible for altering 
the post-nibblization-routine and reading the protected sector was 
described. What we will do is alter the first and third JSR's. The 
first JSR will be altered so that it calls a routine which we will write. 
This routine will wait for a keypress (while we insert the original 
disk) before calling the post-nibble-alteration routine. The second 
JSR will be changed to a JMP $FF65 so that the Apple's Monitor 
will be entered and the data from the protected sector can be 
recovered. 

Due to of the number of different Stickybear programs, the 
location on the disk that these alterations have to be made will vary. 
As an example, I will show you how to make the changes to 
Stickybear Bop. For other programs in the series, the changes will 
be pretty much the same, except that they will have to be made to 
different sectors on the disk. 
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On Stickybear Bop, the code which reads the protected sector 
starts on track $11, sector $02 and ends on track $11, sector $01 . 
A disassembly of this routine is printed below: 



4DD8- 


A9 02 


LDA #$02 


4E12- 


A2 00 


LDX #$00 


4DDA- 


8D EC B7 


STA $B7EC 


4E14- 


A0 00 


LDY #$00 


4DDD- 


A9 0F 


LDA #$0F 


4E16- 


BD 3B 4E 


LDA$4E3B,X 


4DDF- 


8D ED B7 


STA $B7ED 


4E19- 


E8 


INX 


4DE2- 


A9 00 


LDA #$00 


4E1A- 


85 68 


STA $68 


4DE4- 


8D F0 B7 


STA $B7F0 


4E1C- 


BD 3B 4E 


LDA$4E3B,X 


4DE7- 


A9B0 


LDA#$B0 


4E1F- 


E8 


INX 


4DE9- 


8D Fl B7 


STA $B7F1 


4E20- 


85 69 


STA $69 


4DEC- 


A9 00 


LDA #$00 


4E22- 


C5 68 


CMP $68 


4DEE- 


8D EB B7 


STA $B7EB 


4E24- 


D0 05 


BNE $4E2B 


40F1- 


A9 01 


LDA #$01 


4E26- 


C9 00 


CMP #$00 


4DF3- 


8D EA B7 


STA $B7EA 


4E28- 


D0 01 


BNE $4E2B 


4DF6- 


A9B7 


LDA #$B7 


4E2A- 


60 


RTS 


4DF8- 


A0E8 


LDY #$E8 


4E2B- 


BD 3B 4E 


LDA $4E3B,X 


4DFA- 


A2 00 


LDX #$00 


4E2E- 


48 


PHA 


4DFC- 


48 


PHA 


4E2F- 


B168 


LDA ($68), Y 


4DFD- 


8A 


TXA 


4E31- 


9D 3B 4E 


STA$4E3B,X 


4DFE- 


48 


PHA 


4E34- 


E8 


INX 


4DFF- 


98 


TYA 


4E35- 


68 


PLA 


4E00- 


48 


PHA 


4E36- 


9168 


STA ($68) ,Y 


4E01- 


20 12 4E 


JSR$4E12 


4E38- 


4C 16 4E 


JMP$4E16 


4E04- 


68 


PLA 


4E3B- 


C2 


77? 


4E05- 


A8 


TAY 


4E3C- 


B8 


CLV 


4E06- 


68 


PLA 


4E3D- 


4C C3 B8 


JMP $B8C3 


4E07- 


AA 


TAX 


4E40- 


■ 9F 


777 


4E08- 


68 


PLA 


4E41- 


■ C4B8 


CPY $B8 


4E09- 


■ 20 B5 B7 


JSR $B7B5 


4E43- 


• 4E DC B8 


LSR $B8DC 


4E0C- 


• 08 


PHP 


4E46- 


• 4C DD B8 


JMP $B8DD 


4E0D- 


■ 20 12 4E 


JSR $4E12 


4E49- 


- 4F 


77? 


4E10- 


- 28 


PLP 


4E4A- 


- DE B8 4E 


DEC$4EB8,X 


4E11- 


- 60 


RTS 


4E4D- 


- 00 


BRK 



As a result of examining this code you should be able to see that 
sector $F on track $02 is the protected sector and that it is read 
into $B000— $B0FF. 

The JSR $4E12 instructions are the calls to the post-nibblization- 
alteration routine. The first of these calls will be changed to a JSR 
$BCDF. At $BCDF, which is the beginning of 33 free bytes within 
the RWTS, we will put the routine which waits for the keypress 
before reading the protected sector. This routine will look like this: 

20 0CFD JSR$FD0C Wait for a keypress 
20 12 4E JSR $4E12 Alter Postnibble 

60 RTS Return 

The second JSR $4E12 will be changed to JSR $FF65 for entry 
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into the Apple's Monitor. So, on Stickybear Bop make the following 
sector edits to one of your backup copies: 

Track Sector Byte From To 



00 


06 


DF 


88 


20 


00 


06 


E0 


A5 


0C 


00 


06 


El 


E8 


FD 


00 


06 


E2 


91 


20 


00 


06 


E3 


A0 


12 


00 


06 


E4 


94 


4E 


00 


06 


E5 


88 


60 


11 


01 


02 


12 


DF 


11 


01 


03 


4E 


BC 


11 


01 


0E 


12 


65 


11 


01 


0F 


4E 


FF 



After making the changes, boot this disk. The patch at $BCDF 
will be executed momentarily. The drive will continue to spin, but 
all movement of the head will stop because the code is waiting for 
a key to be pressed. At this time, remove the modified backup, insert 
your write-protected original disk and press any key. When you hear 
a beep, the protected sector will have been read into memory. 
Depending upon the current setting of thescreen soft-switches, you 
may or may not be able to see what you type at the keyboard. But 
fear not. Your Apple will accept input just the same. So, place a 
DOS 3.3 slave disk in the drive and recover the data from the 
protected sector by carefully typing: 

9Q00<B0O0.B0FFM 

C600G 

BSAVE PROTECTED SECTOR,A$9000,L$100 

Remember, Stickybear Bop was used as an example here and you 
will have to modify the procedure depending upon which disk in 
the series you are using. 

Once you have saved the data from the protected sector on disk, 
all you have to do is write this data back to the appropriate sector 
on the other COPYAed disk of the Stickybear disk and change the 
first byte of the routine that alters the post-nibble routine from a 
$A2 (LDX) to a $60 (RTS). A generalized step-by-step procedure 
for making backups of the Stickybear series follows below. 

Stickybears in General 



1 I Make two copies of the Stickybear disk using the modified 



COPYA program which was described earlier. 

I 2j Use a disk search utility, such as ZAP or Inspector to search 

the disk for the code which sets up the IOB for reading the protected 

sector. Search for a hex pattern of 8D EC B7. 

Note: On Stickybear Bop, it will be found on track $11, sector $2. 
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I 3 | Examine the code on the sector where this pattern was found 
and identify the portion of memory that the protected sector is read 
into. 

Note: On Stickybear Bop, it is read into $B000— $B0FF from track 
$02, sector $F. 

| 4 | Recover the data from the protected sector by using either 
the 'Easy Way' or the 'Hard Way' and save it to disk. 

1 5 | Write the data from the protected sector to the appropriate 
sector on the backup with a sector-editor. 
Note: On Stickybear Bop, it should be written to track $02, sector 
$F. 

| 6 | Change the first byte of the routine which alters the post- 
nibble-routine from a $A2 to a $60 and write it back to the disk. 
Note: On Stickybear Bop, this is byte $12 on track $11, sector $1 . 
At this point, you should (hopefully) have a completely COPYA- 
able version of your Stickybear disk that boots and runs exactly likes 
the original. Congratulations, if you were successful. If your backup 
does not boot, then carefully go back over the procedure and make 
sure that you did not forget to do anything along the way. 

Although I have not had an opportunity to test this procedure on 
anything but Stickybear disks, I would not be surprised if it also 
works on other programs put out by Xerox. 



Albert Snopes' 

More Stickybear softkeys 



for: Fat City 

Basket Bounce 
Numbers Or Shapes 



1 1 Use the modified COPYA presented in the previous article. 



| 2| Use the TRACER from CIA files to find the sector where 
the IOB is set up. Then search for a pattern of 8D EC B7 and 
determine the location on the disk of the protected sector and its 
destination in memory. 

~Z\ [reset) into the Monitor after booting the game. Move the 



data from the protected sector to $9000 where it was safe from a 
reboot. Booted a slave disk and BSAVED PROTECTED SECTOR, 
A$19000,L$100. 

| 4 | Use the Inspector and Watson to write the recovered data 
back to the COPYA-ed disk. Perform the sector edit that prevents the 
program from altering its RWTS. 
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I have found that this technique will work on four of the disks 
in the series without any alterations. Here is the data you will need: 

Sector which reads protected sector: track $02, sector $06 

Protected sector: track $01, sector $0F 

Destination of protected sector: $1F00 

Sector edit: track $02, sector $06, from $3A to $60 

Randy Ramirez's 

Still More Sticky bear info 

If you're a beginner and a little shaky about writing the protected 
sector back to the COPYA backup, here's another way to do it: 

I 1 | Instead of moving $300— $3FF to $9000, move it to 6000 
(it's just a nice number to tinker with...): 

6000<300.3FFM C600G 



2\ Boot a DOS 3.3 diskette without a Hello program. 
~3] Remember: You copied $300— $3FF into $6000— $60FF. 



Now, instead of BSAVEing the protected sector, lets just write it 
directly to the backup disk that you made, since it's already in 
memory. This short write-routine will do the job: 

CALL -151 

300:20 E3 03 sets up DOS' RWTS routine 

303:4C D9 03 

B7EB: 00 02 OF set track ($02) and sector ($0F) 

B7F0100 60 buffer (storage) in lo-hi order ($6000) 

B7F2: 00 00 02 02 tells RWTS to write a track & sector 



4 | Now you're ready to write. Insert the backup you've made 



of the Stickybear and from the Monitor type: 
300G 

You have a perfectly COPYAable Stickybear BOP backup. 

I used this technique of writing a sector because when you BSAVE 
the protected sector, it creates a third sector which makes it 
impossible to write into a single sector without a sector editor. The 
third sector is due to a binary files address and length information. 

This technique writes a sector to disk as long as you specify the 
buffer address and the track and sector, of course. 



£ 
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Suicide 

Piccadilly software 

Deprotecting Suicide 

by Clay Harrell 
(Hardcore COMPUTIST # 12, page 6) 




Requirements: 

Apple ][ or Apple ][ Plus with old-style F8 Monitor ROM 
A blank initialized DOS 3.3 disk 



Suicide is a rather gruesome little arcade game in which you 
attempt to save some creatures from killing themselves on the 
sidewalk. The game has a few twists too: you should not save mutant 
creatures, but let them fall to their deaths. Although this game has 
been around for quite awhile, the technique used to remove its 
protection is applicable to a great deal of other protected software. 

Piccadilly uses a lot of disk protection to keep you from making 
a nibble-copy of their disk. The primary protection is the use of 
half-tracks. Upon booting the disk, the disk drive head seeks track 
32 and then proceeds to read in the program alternating between 
whole and half-tracks down to track 19. The program then JMP's 
to $1000 to start the game. 

The first step in removing the copy-protection from a disk like 
this is to find what range of memory it occupies. The best way to 
do this is to use the Monitor memory-move command to fill most 
of memory with 00's, load in the game, and then to I reset | into the 
Monitor what has been loaded over by the program. To fill memory 
from $800— $9600 with 00's, from the Monitor type: 

800:00 N 80K800.95FFM 

After this is done, boot the game and |beset| into the Monitor and 
see what memory is used. 

For Suicide, you should find that memory from $800 to $5FFF 
is used by the game. After booting the game and (HMDing mt0 
Monitor, typing: 

7000<800.A00M 
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will clear the way for a slave disk boot. We can now BSAVE Suicide 
to a DOS 3.3 slave disk. 

If you try 1000G, you will find that the game starts up and 
everything is fine. When you |reset| into the Monitor you will see 
some screen garbage over text page one but fear not. This is the 
program loader and not part of the game. It does not need to be 
saved. 

With Suicide, it is important to press I reset | at the right time. 
Make sure you press I reset | right when the red drive light goes out 
(when the initial title page is showing). Stopping the program here 
serves two purposes. First, when you save the game you will get 
the nice title page, and second, it stops the program before it 
initializes the lower pages of memory. 

So here's the method to deprotecting Suicide: 

l\ Boot Suicide and, just after the drive motor stops (and when 



the initial title page is showing), I reset | into the Monitor. 

I 2 | Next, move pages $08 and $09 where they will be safe 
during the boot of a slave disk; 

700O<800.9FFM 

I 3 | Boot a 48K slave disk with a short or null HELLO greeting 
program: 

PR#6 



3 Enter the Monitor and move pages $08 and $09 back to 



their original locations: 

CALL -151 
800<7000.71FFM 

| 5 | Next, enter some code which displays hi-res page 2 before 
the game starts: 

FF4:AD 50 CO AD 54 CO AD 57 CO AD 52 CO 



6| Install a patch to the above code at $FF4: 



7FD:4C F4 OF 



"7~| Finally, BSAVE the game to a DOS 3.3 disk by typing: 



BSAVE SUICIDE,A$7FD,L$5803 



5 
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TellStar 

Information Unlimited Software 

Softkey For TellStar 

by William Wingfield, Jr. 
(Hardcore COMPUTIST #13, page 8) 



Requirements: 

Apple ][ Plus or Apple lie 

Inspector/Watson 

MUFFIN from the DOS 3.3 System Master 

Initialized DOS 3.3 disk 



TellStar is an absolutely amazing program. It is great to have 
around for the people that look at the Apple and say, "So what does 
it do other than play games?" I have yet to see anyone who hasn't 
been impressed by TellStar's information of the night sky. The 
program does have one slight problem, though: copy-protection. 
That problem can be remedied quite easily so that the program can 
be viewed and reduced in size from a whole disk to 326 sectors. 

There are two parts to the protection scheme for this program. 
The first is an altered DOS 3.2 format. The second is a phony catalog 
on track $11; the real catalog is on $15. It's good to know that 
someone puts those Beagle Brothers tip books to use. We'll use 
MUFF IN as our DOS 3.2 code source and to transfer the files when we 
are ready. x 

The first thing to do is to fix the catalog so that MUFF IN can find 
the files. We'll be writing to the TellStar disk, so use a backup to 
be on the safe side. 

I 1 I Boot the Master disk, install Inspector (or Watson) and load 
MUFFIN: 

BLOAD MUFFIN 



2| Now we'll fix the 3.2 code to match that used by TellStar. 



You can make the changes from Inspector or from the Monitor. 
The last byte of the Address-marker changes from track to track 
so we'll make DOS ignore it: 
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1A8A:29 00 



3 | The last byte of the End-of-Data-marker has been changed 



to $D5 so we'll match that next. 
1A60:D5 



4 I Since we need to write to the disk, we must also match the 



bytes in the section of DOS that does the writing. The last byte of 
the Address-marker on track $1 1 is $D6 (you may wish to verify 
the markers on your disk in the event that they aren't all the same) 
so we'll match it: 

1FFF:D6 
19E3:D5 



5 I Now to fix the CATALOG. Enter Inspector if you haven't 



already done so. Inspector uses $3DA— $3DB as a pointer for the 
RWTS it uses when accessing a disk. The RWTS for MUFF IN thai 
we just altered is at $1E00 so edit these bytes to $00 and $1E 
respectively. Next, go to a clean buffer such as $50 and read in 
track $11, sector $C. Bytes $2 and $3 show $1 1 and $0C, the fake 
catalog. Edit these to $15 and $09, the real catalog location, and 
write the sector back to the disk. Return the pointer on page $3 to 
$B7B5 and exit Inspector. 

| 6 | Now to unlock the disk. Start up MUFFIN: 

CALL 2051 



| 7| Use = for FILE NAME and transfer all the files to the 
3.3 disk. You can delete the file called REAL CAT (\x just reserved 
space for the CATALOG on the protected disk). TELLSTAR I is the 
greeting program. 

| 8 | Exit from MUFFIN and load the greeting program: 

LOAD TELLSTAR I 



Eliminate the POKE 214 ,255 from line 100. 



Now if you I reset | from within the program, it won't try to run 
itself every time you enter a command. You're finished! Grab a 
drink and enjoy the feeling of having beaten The Protectors once 
again. 



i 
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Tic Tac Show 

Computer Advanced Idea 

Boot Code Trace For Tic Tac Show 

by Steve Fillipi 
(Hardcore COMPUTIST #15, page 23) 




Requirements: 

Apple ][ Plus or equivalent 
Bit-copier or Super IOB 
One blank disk 



Tic Tac Show is a computerized rendition of the popular TV game 
show that bears a very similar name. .The game can be played by 
1 or 2 players and is hosted by the lovely young lady, Carol. The 
players try to place their X's or O's on a Tic-tac-toe board by 
correctly answering questions from a particular subject category. 
The first player to get 3 adjacent squares on the board is declared 
the winner. The game is very nicely done and youngsters of all ages 
should enjoy playing it. Because the program allows you to create 
your own categories and questions, the game can be tailored for 
specific educational settings. Unfortunately, the potential of this 
program in an educational environment is somewhat limited by its 
copy-protection. 

With a little investigation, I found the protection scheme on Tic 
Tac Show to be as follows: 

1. The Address-epilogues and Data-epilogues on track $0 have 
been modified. The Address-epilogues are changed to B5 AB EB 
and the Data-epilogues are AB A A EB. 

2. The Tic Tac Show DOS resides on tracks $1.5 through $4.5. 

3. Tracks $6— $22 are normally formatted, but 2 directories are 
present, one on track $11 and one on track $06. The files in the 
directory on track $11 contain the questions and answers, and the 
files in the directory on track $6 hold the code for the game itself. 
The DOS utilizes the two directories by changing the value at $AC01 
from a $11 to a $06, or vice-versa. 

From this description of the protection scheme, it appears that 
it would not be too difficult to backup this disk with a bit-copier 
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by copying tracks 0, 1.5-4.5 and 6-22. Surprisingly, I could not 
get Copy II Plus v4. 4c or Essential Data Duplicator III to make 
a bootable copy of 77c Tac Show. Instead of fooling around with 
parameter settings and disk drive speed adjustments, I decided to 
try and boot-code-trace the disk. For me, this proved to be a more 
successful and educational approach than using a bit copier. My 
report follows. 

Boot Code Theory 

Although the boot-code-tracing technique has been covered 
several times before in the pages of this magazine, I will quickly 
go over a little theory for the benefit of new readers. 

The basis for boot-code-tracing lies in the fact that on any bootable 
disk, whether protected or not, track $0, sector $0 must be readable 
by the disk controller hardware. The first thing that happens when 
a disk boots is that track $0, sector $0 is read into memory at 
$800— $8FF. After this has occurred, the code in the disk 
controller's ROM jumps to $801 and the code there reads track $0 
into memory (on normal disks). Protected disks may vary. The boot 
will continue from here, reading whatever tracks are necessary, until 
it is complete. 

To boot-code-trace a disk, it is necessary to halt the boot after 
track $0, sector $0 has been read into memory, but before the code 
at $801 starts to excute. This can be done by moving the code from 
the disk-controller ROM down into RAM where it can be modified. 
Instead of jumping to $801 to continue the boot, it will now enter 
the Apple's Monitor. The code read in from the disk can then be 
examined and possibly modified so that another stage of the boot 
will take place before the Monitor is again entered. By stopping 
at various stages of the boot, the entire program can eventually be 
read into memory and transferred to a normal disk. The difficulty 
of boot-code-tracing copy-protected disks varies greatly, but 
whatever the difficulty, a good knowledge of 6502 machine language 
is an absolute necessity for trying this technique on your own. 

Tic Tac Boot 

When performing a boot-code-trace, first disconnect DOS and 
fill up memory from $800— $BFFF with $1 1 's so we can tell where 
code gets loaded into. Do this by typing: 

CALL -151 

FE89G N FE93G 

800:11 N 801<800.BFFFM 

Next, move the code from the disk-controller ROM down into 
RAM where it can be modified: 
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9600<C600.C6FFM 
96F8:A9 00 85 FC 85 FD 85 FE 
9700:A9 60 85 FF A0 43 Bl FC 
9710:91 FE 88 10 F9 AD E8 CO 
9718:4C 69 FF 



If you disassemble from $96F8, you should see the following code: 

ft^ro Art nn I r\A u&nn GiaC D1 CP I HA /ttC/^\ V 



96F8- 


A9 00 


LDA #$00 


9706- 


Bl FC 


LDA($FC),Y 


96FA- 


85 FC 


STA $FC 


9708- 


91 FE 


STA($FE),Y 


96FC- 


85 FD 


STA $FD 


970A- 


88 


DEY 


96FE- 


85 FE 


STA $FE 


970B- 


10 F9 


BPL $9706 


9700- 


A9 60 


LDA #$60 


970D- 


AD E8 C0 


LDA $C0E8 


9702- 


85 FF 


STA $FF 


9710- 


4C 69 FF 


JMP $FF69 


9704- 


A0 43 


LDY #$43 









This code will save some necessary zero page locations to page $60 
before turning OFF the drive motor and entering the Monitor. 
Insert the original Tic Tac Show disk into the drive and boot it: 

9600G 

When the drive turns OFF, the B00T1 code will have been read 
into page $08. Examine and compare this code to B00T1 from a DOS 
3.3 slave disk. They are identical except for the values at 
$84D— $85C (sector-skewing-table) and $8FE— $8FF. The Tic Tac 
Show boot reads the sectors from track $0 in physically ascending 
order rather than interleaving them as DOS normally does. This, 
in part, accounts for the slow boot of the disk. On a DOS 3.3 slave 
disk, the values at $8FE— $8FF are B6 09 which indicates that the 
data will be read into memory starting at $B600 and that 10 sectors 
(0—9) will be read in this stage of the boot. On the Tic Tac Show 
disk, these values are $3F $05. This means that 6 sectors of data 
will be read into memory starting at $3F00. 

The B00T1 code exits at $84A with an indirect jump to the address 
stored in $8FD— $8FE. On a normal slave disk this will be $B700 
but, on Tic Tac Show, it is $4000. 

We now want to execute the B00T1 code and let it read the 6 sectors 
of data from track $0 into memory. Typing 801G |Return] would 
prove to be unsuccessful because the code at $801 expects the disk 
drive to be revolving and needs some data from zero page that was 
lost when the Monitor was entered. The necessary code from zero 
page was stored on page $60, so we must enter some code which 
will turn on the disk drive, wait for the drive to come up to speed 
(about 1 second) and restore locations $0— $43 from page $60 before 
jumping to $801. This code can be placed at $900: 

900:8D E9 CO AO 09 A9 CO 20 
908 :A8 FC 88 DO F8 A0 43 Bl 
910:FE 91 FC 88 10 F9 4C 01 
918:08 
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This should disassemble as: 

0900- 8D E9 C0 STA $C0E9 090D- A0 43 LDY #$43 



0903- 


A0 09 


LDY #$09 


090F- 


Bl FE 


LDA($FE),Y 


0905- 


A9C0 


LDA #$C0 


0911- 


91 FC 


STA($FC),Y 


0907- 


20 A8 FC 


JSR $FCA8 


0913- 


88 


DEY 


090A- 


88 


DEY 


0914- 


10 F9 


BPL $090F 


090B- 


D0F8 


BNE $0905 


0916- 


4C 01 08 


JMP $0801 



This code uses the Monitor WAIT routine at $FCA8 to create the 
delay that pauses while the disk drive reaches its proper speed. 
Before you can execute this code we will also have to modify the 
instruction at $84A so that it jumps to the code which turns OFF 
the disk instead of continuing with the boot: 

84A:4C OD 97 

and then execute the next stage of the boot: 

900G 

When the drive shuts off, the code responsible for accessing the 
half-tracks will have been placed at $4000— $44FF (track $0, sector 
$0 is re-read into $3F00— $3FFF). The start of this code should 
disassemble as: 

4000- 86 2B STX $2B 400B- A9 00 LDA #$00 

4002- A2 FF LDX #$FF 400D- 85 06 STA $06 

4004- 9A TXS 400F- 85 07 STA $07 

4005- 2C80C0 BIT $C080 4011-8508 STA $08 
4008-2C81C0 BIT $C081 4013- 8D 78 04 STA $0478 

Notice that the first thing this code does is to store the X-register 
into $2B, which is where the slot number of the drive controller 
is held (actually 16 * slot number). We have to make sure that, 
when we execute the next stage of the boot at $4000, the X-register 
contains a #$60. 

If you disassemble from $40D8, you should find: 



40D8- 


A9 06 


LDA #$06 


40EF- 


4A 


LSR 


40DA- 


8D 01 AC 


STA $AC01 


40F0- 


4A 


•LSR 


40DD- 


A9 01 


LDA #$01 


40F1- 


AA- 


TAX 


40DF- 


8D EA B7 


STA $B7EA 


40F2- 


A9 00 


LDA #$00 


40E2- 


8D F8 B7 


STA $B7F8 


40F4- 


9D 78 04 


STA $0478, X 


40E5- 


A5 2B 


LDA $2B 


40F7- 


9D F8 04 


STA$04F8,X 


40E7- 


8D E9 B7 


STA $B7E9 


40FA- 


20 93 FE 


JSR $FE93 


40EA- 


8D F7 B7 


STA $B7F7 


40FD- 


20 89 FE 


JSR $FE89 


40ED- 


4A 


LSR 


4100- 


4C 84 9D 


JMP $9D84 


40EE- 


4A 


LSR 









By the time this code executes, the Tic Tac Show DOS is in place, 
but not yet initialized. A value of #$06 is stored at $AC01 to set 
up the access of the directory on track $06, and the code goes on 
to set up some memory locations used by DOS and does the 
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equivalent of an IN#0:PR#0. At $4100, the JMP $9D84 is the entry 
to the DOS cold-start routine. When this routine is executed, the 
DOS will be initialized and the disk's greeting file MENU/IBC will 
be loaded in and take over. We don't want this to happen. Instead, 
change the instruction at $4100 so that it jumps to the Monitor: 

4181:69 FF 

The code that we placed at $900 for turning ON the drive and 
setting up zero page is still intact and is again needed for executing 
the next stage of the boot. It has to be changed so that the X-register 
will hold a #$60 and the jump will be to $4000 instead of $801: 

916:A2 60 4C 00 40 

Then continue the boot with: 

90OG 

When the drive shuts off, all the code we need to save will be in 
memory. I found the necessary code to be at $800— $1FFF and 
$8C00— $95FE, in addition to the DOS at $9600— $BFFF. To 
recover this code, it will have to be moved to a location in memory 
that is not overwritten by the boot of a slave disk ($900— $95FE 
is safe). To do this, perform the following memory moves: 

6000<800.8FFM 
2100<8C00.BFFFM 

and then boot a DOS 3.3 slave disk: 

C600G 

Enter the Monitor and move page $08 back into place: 

CALL -151 
800<6000.60FFM 

and then enter some code at $20DE that will put $8C00— $BFFF 
back into place before jumping to the DOS cold-start routine: 

20DE:2O 89 FE 

20E1:20 93 FE A0 00 84 3C 84 
20E9:42 88 84 3E A9 21 85 3D 
20F1:A9 54 85 3F A9 8C C8 20 
20F9:2C FE 4C 84 9D 

This code should disassemble as: 

20DE- 20 89 FE JSR $FE89 20EF- 85 3D STA $3D 

20E1- 20 93 FE JSR $FE93 20F1- A9 54 LDA #$54 

20E4- A0 00 LDY #$00 20F3- 85 3F STA $3F 

20E6- 84 3C STY $3C 20F5- A9 3C LDA #$3C 

20E8- 84 42 STY $42 20F7- 85 43 STA $43 

20EA- 88 DEY 20F9- C8 I NY 

20EB- 84 3E STY $3E 20FA- 20 2C FE JSR $FE2C 

20ED-A9 21 LDA #$21 20FD- 4C 84 9D JMP $9D84 
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Checked the new code, then save $800— $54FF to disk by typing: 
BSAVE TIC TAC SHOW,A$800,L$4D13 

About the only thing left to do is to copy tracks $6— $22 of the 
original Tic Tac Show disk to an initialized disk (preferably with 
a fast DOS) and create a HELLO program for the disk. The necessary 
tracks can be copied either with a bit copier or by Super IOB, and 
the standard controller with the variable TK in line 1010 changed 
from to 6. The Applesoft HELLO program must relocate itself to 
a free area of memory ($800— $54FF will be occupied). Therefore, 
BLOAD in the file 77C WCSMWandthendoaCALL8414($20DE). 
This HELLO program is listed near the end of the article. 

Tic Tac Show is definitely not one of the more difficult disks to 
boot-code-trace. As such, this program would be a good beginner 
project for those wishing to learn the technique. The principles 
covered here can definitely be applied to disks with tougher forms 
of copy-protection if desired. The steps necessary for boot-code- 
tracing Tic Tac Show are recapped below. 

A Recap 

T| INITialize a blank disk, preferably with a fast DOS. The 



volume number of this disk must be 1: 
INIT HELLO, VI 



2 I Use a bit copier or Super IOB with a modified standard 



controller to copy tracks $6— $22 from the original 77c Tac Show 
disk to the disk initialized in Step 1 . 

| 3 | Boot up DOS 3.3, enter the Monitor, move the code from 
the disk controller ROM down to page $96 and modify it to save 
some necessary zero page locations before turning OFF the drive 
motor and entering the Monitor at $FF69: 

CALL -151 

9600<C600.C6FFM 

96F8:A0 43 A9 00 85 FC 85 FD 

9700:85 FE A9 60 85 FF 61 FC 

9708:91 FE 88 10 F9 8D E8 CO 

9710:4C 69 FF 

| 4 | Boot the original Tic Tac Show; insert disk and: 
9600G 

| 5 | After the drive turns OFF and the Monitor prompt 
reappears, make the B00T1 exit jump to the code at $970D, where 
the drive will be turned OFF and the Monitor is entered: 

84A:4C 0D 97 



The Book Of Softkeys Volume III 111 



6 | At $900, place a routine which will turn on the drive, wait 



about one second, restore the necessary zero page locations and then 
jump to the B00T1 code at $801: 

900:8D E9 CO A0 09 A9 CO 20 
908:A8 FC 88 DO F8 A0 43 Bl 
910:FE 91 FC 88 10 F9 4C 01 
918:08 



7 I Read the code necessary for accessing the half-tracks into 



memory by typing: 
900G 



~8~1 The next stage of the boot starts at $4000 and exits at $4100, 



where a jump to the DOS cold-start-routine is taken. Modify this 
jump to enter the Monitor instead of performing the cold-start: 

4101:69 FF 



9 | The code we entered at $900 is still necessary for turning 



on the drive; however, it must be modified a bit so that a jump to 
$4000 is taken with the X-register set to #$60 (for the slot #). Modify 
this code and then execute it: 

916:A2 60 

918:4C 00 40 N 900G 

I 10 I After the drive has been on for about thirty seconds, the 
Monitor prompt should reappear and the drive will turn itself OFF. 
All the code that has to be recovered is now in memory. Insert the 
DOS 3.3 slave disk that was initialized in Step 1 into the drive. 
Before booting it, move the code to 'safe' areas of memory: 

2100<8C00.BFFFM 

6000<800.8FFM 

C600G 

I 11 1 After the DOS 3.3 slave disk has been booted, enter the 
Monitor and move page $60 back down to page $08 by typing: 

800<6000.60FFM 

I 12 | At $20DE, enter the routine which will move code at 
$2100— $54FF back to its proper location ($8C00-$BFFF) before 
jumping to the DOS coldstart routine: 

20DE:20 89 FE 

20E1:20 93 FE A0 00 84 3C 84 
20E9:32 88 84 3E A9 21 85 3D 
20F1:A9 54 85 3F A9 8C 85 43 
20F9:C8 20 2C FE 4C 84 9D 
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I 13 I Next, save memory from $800— $54FF to the disk by 
typing: 

BSAVE TIC TAC,A$800,L$4D13 

1 14 | Finally, type in the following HELLO program and save it 
to the disk: 

HELLO 

10 ON PEEK (104) =96 GOTO 20 : POKE 104 ,96 : POKE 24576 ,0 : PRINT 

CHR$ (4) "RUN' HELLO" 
20 PRINT CHR$ (4 ) "BLOAD"TIC A TAC i SHOI«,A$800" 
30 CALL 8414 



SAVE HELLO 

The resulting disk is completely COFW-ableand, in addition, will 
boot quite a bit faster than the original did. 
Carol awaits you. 



£ 
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Time is Money 

Turning Point Software 



Deprotecting Time Is Money 

by Rod Wideman 
(Hardcore COMPUTIST #12, page 7) 



Requirements: 

48K Apple ][ Plus equivalent 
COPY A from DOS 3.3 System Master 
A blank disk 
A sector-editing program 



Copy Time Is Money easily using the following instructions: 



1 | Make a copy of Time Is Money with COPYA from the DOS 



3.3 System Master. 
RUN COPYA 



2| Use a sector-editor to make the following modifications to 



the copy of Time Is Money: 

Track Sector Byte 

$02 
$02 
$05 
$05 



$0F 


$19 


$0F 


$74 


$0F 


$19 


$0F 


$74 



From 


To 


$BD 


$60 


$38 


$18 


$BD 


$60 


$38 


$18 



3 | Don't forget to write the modified sectors back out to the 



disk. 



S 
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Type Attack 

Sinus Software 

Backing Up Type Attack 

by Jerry Caldwell 
(Hardcore COMPUTIST #12, page 8) 




Requirements: 

48K Apple ][ Plus or equivalent 
A nibble-copy program 
A sector-editor 
One blank disk 



Type Attack from Sirius is one of those rare pieces of software 
that is both educational and fun to use. Unfortunately, like so many 
home and educational programs, Type Attack is copy-protected to 
the extent that none of the bit-copiers I own would make a working 
backup copy. Not wanting to hand my original Type Attack disk 
over to my young children, I set out to find a way to make a copy. 
Happily, I was successful. My report follows. 

I found that on the original Type Attack disk, only tracks $0—$ 10 
have any useful data on them, although track $22 is used to verify 
the presence of the original program disk. I assumed that if I could 
find and circumvent the routine which checks track $22, I would 
have a working bit-copy of Type Attack. 

The majority of the Type Attack disk is 4-x-4-encoded (rather than 
6-x-2-encoded) and cannot be read by a normal sector-editor. This 
makes it very difficult to find the location on the disk that the 
verfication routine is called from. However, track $0, sector $0 can 
be read by any sector-editor and I found that it was possible to make 
some modifications there to prevent the disk-verification-routine 
from being called. The changes I made on track $0, sector $0 
modified the instruction at $A68 so that the disk-verification-routine 
is bypassed and also changed the reset vector so that the disk will 
not do a total reboot if |Reset| is hit. 

On an original copy of Type Attack the final instruction of the 
code on track $0, sector $0 reads: 

JMP$9F0 
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I modified this code to read: 

LDA #$4C 
STA $A68 
LDA #$6E 
STA $A69 
LDA #$0A 
STA $A6A 
LDA #$00 
STA$A01 
LDA #$40 
STA $A0F 
JMP $9F0 

Luckily, there is enough free space on the sector to fit in the extra 
code. Thus, the entire procedure for making a backup of Type Attack 
involves copying tracks $0— $10 with a bit-copier followed by the 
sector-edit to track $0, sector $0 of the copy. 

Attack On Type Attack 



1 | Use a bit-copy program to copy tracks $0— $10 of Type 



Attack. Set the Address-header parameters to AD DA DD (for COPY 
II Plus: E = AD, F = DA, 10 = DD). 

I 2 | Use your sector-editor to make the following changes to 
track $0, sector $0. 

Byte From To Byte From To 



$93 


$4C 


$A9 


$A1 


$00 


$0A 


$94 


$F0 


$4C 


$A2 


$00 


$A9 


$95 


$09 


$8D 


$A3 


$00 


$00 


$96 


$00 


$68 


$A4 


$00 


$8D 


$97 


$00 


$0A 


$A5 


$00 


$01 


$98 


$00 


$A9 


$A6 


$00 


$0A 


$99 


$00 


$6E 


$A7 


$00 


$A9 


$9A 


$00 


$8D 


$A8 


$00 


$40 


$9B 


$00 


$69 


$A9 


$00 


$8D 


$9C 


$00 


$0A 


$AA 


$00 


$0F 


$9D 


$00 


$A9 


$AB 


$00 


$0A 


$9E 


' $00 


$0A 


$AC 


$00 


$4C 


$9F 


$00 


$8D 


$AD 


$00 


$F0 


$A0 


$00 


$6A 


$AE 


$00 


$09 



3 | Write the sector back to the disk. 



S 
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BS 



Ultima III: Exodus B 

Origin Systems 



Softkey For EXODUS: Ultima III 

by Tim Schaap 
(Hardcore COMPUTIST #11, page 27) 




Requirements: 

Apple with 48K 

One disk drive with DOS 3.3 

Super IOB 

One blank disk 



Exodus: Ultima III, by Origin Systems, is a superior role-playing 
game. The author, Lord British, has added many enhancements to 
this, the third, Ultima scenario. Unfortunately, the program side 
of this third Ultima still doesn't allow the user to back it up. On 
the brighter side, there exists a method of unprotecting Exodus. Some 
boot code tracing is required to capture its RWTS, but once this 
has been done, Super IOB, with the proper controller installed, can 
be used to make a backup of Exodus. 

Several things prevent making a duplicate of Exodus with a bit 
copier. The address and data marks on the disk are changed 
extensively throughout the disk. The only tracks that are used on 
the disk are $0— $10, the rest of the tracks being unformatted. The 
disk is similar to normal DOS 3.3 in that it uses normal DOS 3.3 
RWTS calls and an Input/Output Block (IOB). Even though the 
RWTS and IOB are at different locations than in normal DOS 3.3, 
Exodus is a prime target for deprotecting with Super IOB. 

But How Do I Do It? 

To make a backup of your original Exodus disk, first we have 
to capture the entire Exodus RWTS so that it can later be put into 
memory for utilization by Super IOB. In order to do this a little 
boot-code-tracing is required. Boot-code-tracing is not a process used 
for manufacturing footware, but is a technique for gradually loading 
pieces of code into memory from disk and halting the code before 
it can begin to execute. This method is based upon the fact 
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that, even on highly protected Apple disks, track $0, sector $0, must 
be readable by the disk controller hardware. 

I 1 | Begin by entering the Monitor: 



CALL -151 

I 2 | Move BOOT0 into RAM so we can control where it will go 
after reading in B00T1 : 

86OO<C600.C6FFM 

At this point, you may look at $86F8 and see that it jumps out 
to $0801 after reading in B00T1. We want to modify this so it will 
jump to $8801 instead. We make $8601 jump to $FF59, the Monitor, 
so it will give us control after it has read in B00T1 . 

I 3| Modify BOOT0 to jump to $8801 and at $8801 place a jump 
to the Monitor: 

86FA:88 
8881 :4C 59 FF 

I 4 | Everything is ready so we can start up our modified boot: 
8600G 

I 5 I Stop the drive after it beeps: 
C0E8 

I 6| Move $0800 (B00T1 ) to $8800 so we can change how it 
works: 

8800<800.900M 



"T1 The next step changes $8811 to ORA with #$80 instead 



of #$C0 so it will set up the indirect jump to go to $865C (our 
modified-read routine, down in RAM), and not $C65C (the ROM- 
read routine). There is a branch out to $8846 that jumps out only 
after it has read in the necessary information. This step also makes 
$8846, the location where it branches out, jump to the Monitor in 
order to give us control after it has read in the RWTS. 

8812:80 
8846:4C 59 FF 

Note from Nathan Manlove: On my version, a better choice for step 
7 is $8812:80, $8848: 4C 59 FF. At this point it is interesting to 
note that the RWTS is loaded and set up. Therefore, I just skipped 
steps 9, 10 and 11 and went right to step 12. Everything went 
smoothly from there. 

I 8 | Start it up again and stop it after the beep: 

8600G 
C0E8 
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I 9 | It has just loaded in its RWTS, but we will not be able to 
use it at this point because it has not set itself up. Let's make it so 
it will set itself up and let us have control afterwards. Look at $0846, 
the original B00T1 location. It sets up the reset vector and the slot 
number where the disk drive resides ($0854 up to $0860). We will 
have to skip this portion of the code and start our next boot process 
at $0860. But first, we have to set up the reset vector at $03F2 to 
jump to the Monitor when we hit I reset | after the demo has begun: 

3F2:59 FF 5A 

I 18 | Remember, we don't want the code to set up its own values 
for the reset vector and other items. Therefore, we will begin the 
next boot at $0860. 

Note: the drive may recalibrate, but it will read the rest of the 
program in afterwards. 

860G 

I 11 | As soon as the red light on the disk drive goes off, hit 
IresetI . Looking through the RWTS starting at $B500, one would 
find that the IOB table begins at $B750 and that some locations go 
to $B610 to read or write. This location is the main RWTS call to 
go and read a sector. 

| 12 | Now let's move the RWTS down to $2400 where Super 
IOB will use it: 

240Q<B40Q.BFFFM 

Insert the disk that has Super IOB. Make sure that the disk has 
a short HELLO program. For example, a program which merely 
CATALOGS the disk and gives control to the user. Boot up with 
this disk, and after the HELLO program gives you control of the Apple, 
type: 

BSAVE RWTS.EXODUS,A$2400,L$C00 

I 13 | Type in the controller at the end of this article and save 
it by whatever means you usually use. 

I 14 | When RUNning Super IOB with the Ultima III controller 
installed, you must copy with disk drives that are in slot 6. 

Press (Y) when the program asks if it should INITialize the blank 
disk. Give the disk a volume number of 2. 

What Happened? 

After it is finished, Super IOB makes some sector edits by 
changing all the bytes referred to on the small chart below from 
Bl to B2. This tells Exodus that a non-protected disk is being used. 
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Track Sector Change these bytes 



00 00 E7 

00 0D 4 10 1C 28 34 40 4C 58 64 70 7C 88 

In order for Exodus to have a protected boot side and a normal 
DOS player side, the RWTS has to differentiate between the two. 
The protection scheme relies upon the disk volume number to tell 
whether the disk is protected or not. A volume number of 1 tells 
the RWTS that the disk is protected and tells it to get the address 
and data marks from the table which begins at $B765. A volume 
number of 2 tells the RWTS that the disk is the player disk and that 
it should use normal address and data marks. All other volume 
numbers are rejected. The sector-edit performed on track $00, 
sectors $00 and $0D ensures that a normal RWTS is always accessing 
the disk. 

Here is an explanation of some of the modifications to Super IOB 
that the controller makes. 

60 — makes $1A00— $23FF Applesoft variable space, giving plenty 
of room for the program to work in. 

368 — moves memory from $2400— $2FFF to $B400— $BFFF. 

1010 — sets the last track to be copied at 16 and sets up page 3 
to call the Exodus RWTS at $B610. 

1020 — makes the volume to be accessed next a 1, which indicates 
a protected disk. 

1060 — makes the volume number a 2, which indicates an 
unprotected disk. It also tests to see if track zero was read in 
in order to call the sector-edit-routine. 

1110 — 1120 — performs the above mentioned sector edits so that 
upon booting, the Exodus RWTS will think it is reading the 
player disk. 

62000—62010 — alters the Exodus RWTS so that it gets its IOB 
data from $030A instead of $B750. 

Exodus with normal address and data marks is now ready to be 
backed-up and played. This same procedure, with a few changes, 
can be used to make Caverns of Callisto C0PYA-ab\e. 

controller 

60 L0MEM: 6656 : HIMEM: 9215 : GOTO 10010 

360 POKE 253 ,36 : POKE 255 , 180 : POKE 224 , 12 : CALL 832 : RETURN 

1000 REM ULTIMA III CONTROLLER 

1010 TK = :ST = :LT = 17 :CD = WR : 10 = 772 : G0SUB 360 : POKE 773 

,16 : POKE 774 ,182 : GOSUB 62000 
1020 VL = 1 :T1=TK : GOSUB 490 
1030 GOSUB 430 : GOSUB 100 :ST = ST + 1 : I F ST < DOS THEN 1030 



120 The Book Of Softkeys Volume III 



1040 I FBF THEN 1060 

1050 ST = :TK = TK + 1 : IF TK < LT THEN 1030 

1060 VL = 2 : GOSUB 490 :TK = Tl :ST = : IF TK = THEN GOSUB 1110 

1070 GOSUB 430 : GOSUB 100 :ST = ST + 1 : I F ST < DOS THEN 1070 

1080 ST = :TK = TK + 1 : IF BF = AND TK < LT THEN 1070 

1090 I F TK < LT THEN 1020 

1100 HOME : PRINT : PRINT "DONE' WITH 4 COPY" : GOSUB 360 : END 

1110 READ LOC : POKE LOC ,178 : IF LOC <> 13448 THEN 1110 

1120 RETURN 

10010 PRINT CHR$ (4 ) "BLOAD a RWTS. EXODUS, A$2400" 

62000 READ LOC : READ NUM : POKE LOC , NUM : I F NUM <> 10 THEN 62000 

62010 RETURN 

62020 DATA 46610 ,13 ,46611 ,3 ,46621 ,14 ,46622 ,3 ,46625 ,14 

,46626 ,3 ,46708 ,3 ,46710 ,10 
62030 DATA 10215 ,13316 ,13328 ,13340 ,13352 ,13364 ,13376 ,13388 

,13400 ,13412 ,13424 ,13436 ,13448 



a 
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Zoom Graphix 

Phoenix Software 

Deprotecting Zoom Graphix 

by Michael Decker 
(Hardcore COMPUTIST #12, page 9) 




Requirements: 

Apple ][ Plus or equivalent 

COPY A and FID from DOS 3.3 System Master 

Two blank disks 

Zoom Grafix is a superb piece of programming and a delight to 
use, and has been a workhorse in my library for years. The recent 
acquisition of a hard-disk drive prompted me to deprotect it. 

After investigating the Zoom Grafix disk a bit, I was surprised 
to find that the bulk of the programs on the disk are written in 
Applesoft. Zoom Grafix is protected against standard DOS 3.3 copy 
programs by the use of non-standard address marks. This can be 
easily circumvented by making the appropriate POKEs into DOS 
before COPY A is run. However, the Zoom Grafix programs also check 
the disk for an illegal volume number in addition to the usual 
techniques of setting the autorun flag ($D6) and messing up the DOS 
warm-start routine. Since the programs were written in Applesoft, 
it was fairly easy for me to remove these traps. 

The two major steps to deprotecting Zoom Grafix involve: 

1. Copying Zoom Grafix onto a disk which has normal DOS 3.3. 

2. Studying the LISTable Applesoft programs and removing the 

instructions which serve to copy-protect the disk. 

What To Do 

This procedure is based upon the version of Zoom Grafix which 
is dated 9APR82. The procedure will also work on the earlier 
version, but the programs are numbered differently and you will 
need to find the appropriate lines to modify on your own. 

We will use a modified COPYA to copy the original disk to a 
temporary disk which retains the abnormal DOS. Then F/Z7willbe 
used to transfer all the files from the temporary disk to a normal 
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3.3 disk or one that has been initialized with a fast DOS. We also 
have to write a new boot program for the final deprotected Zoom 
Grafix and remove copy-protection traps that some of the Applesoft 
programs contain. 

The overall procedure I use may seem rather roundabout, but there 
are no special requirements such as a non-autostart ROM or NMI 
card. All owners of Zoom Grafix should be able to perform this 
softkey. Let's get started. 

I 1 I Boot with a normal DOS 3.3 disk and then RUN the COPYA 
program: 

PR#6 

RUN COPYA 

I 2j After COPYA is loaded and running, we need to halt it so that 

some modifications to DOS can be made. Line 70 of COPYA will 
also be deleted to eliminate the reLOADing of COPY. OBJ: 

70 

CALL -151 

B954:29 00 

B990:29 00 

3D0G 

RUN 

The changes at $B954— $B955 and $B990.$B991 cause DOS to 
ignore the first bytes of the address headers (normally $D5) and 
address trailers. 



3 | After you have made a copy of Zoom Grafix delete the file 



called GRAFIX from the copy disk and then restore the proper bytes 
to the addresses that were modified above. To do this, type: 

FP 

DELETE GRAFIX 

CALL -151 

B954:C9 D5 

B990:C9 DE 

3D0G 

| 4] Next type in the BASIC program listed below which will 

serve as the boot program for the final deprotected Zoom Graphix 
disk: 

10 TEXT : HOME :D$ = CHR$ (13) + CHR$ (4) 

20 PR I NT D$ "MAXF I LES 4 1 " : PR I NT D$ " BLOAD 4 GRAF I X . OBJ " 

30 HOME : PRINT "l) 44 CONFIGURE' ZOOM" GRAF IX" : PRINT : PRINT "2) 44 

RUN 4 ZOOM" GRAF IX" : PRINT : PRINT """ ENTER 4 YOUR 4 CHO I CE 4 " ; : 

GETA$ : PRINT A$ 
40 I F VAL (A$ ) < 1 OR VAL (A$ ) > 2 THEN GOTO 30 
50A = VAL (A$) : ON A GOTO 60 ,80 
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60 POKE 103 ,1 : POKE 104 ,96 : POKE 24576 ,0 
70 PR I NT CHR$ (4 ) "RUN' GRAF IX' SET-UP" : END 
80 POKE 103 ,1 : POKE 104 ,96 : POKE 24576 ,0 
90PRINTCHR$ (4 ) "RUN' GRAF IX' PART" II" 

| 5 | Now, initialize a blank disk with this program in memory. 
If you like, a fast DOS can be used: 

INIT ZOOM LOADER 

| 6| We will use FID from the DOS 3 . 3 System Master to transfer 
the files from the temporary copy of Zoom Grafix to the disk we 
just initialized. Get FID up and running and use the wildcard character 
( = ) to transfer all the files: 

BRUN FID 

You are now done with the temporary disk. When you 
CATALOG the final copy disk, you'll notice that the program files 
all seem to be 000 sectors long. This is wrong and we will correct 
their sizes by loading, deleting, and resaving them as we deprotect 
them. If you have an Applesoft program editor like GPLE, load it 
in now because it will make your job much easier. 

| 7| The first file we will start up is called GRAF I X SET-UP , so 
load it into memory: 

LOAD GRAFIX SET-UP 



8 | From the end of line 105, remove the following instruction 



which checks for a logo on the text screen. Be sure to remove just 
this one instruction and not the entire line: 

: IF PEEK (10030) > 153 THEN ! 



9 I Insert line 107 (to defeat the volume number check) and 



modify lines 440 and 590 by typing in the lines listed below: 

107 LM = 

440 VTAB 4 :POKE 47147 ,0 :PRINT CHR$ (4) 

" RUN' GRAFIX' PART' II " 
590 NORMAL :TEXT :HOME :PRINT CHR$ (4)"FP" 

| 10 | Check your work and then SAVE the modified GRAFIX 
SET-UP program: 

DELETE GRAFIX SET-UP 
SAVE GRAFIX SET-UP 

| 11 | The next file to be modified is called GRAF I X PART ] [ , so 
LOAD it in. You may have to CATALOG the disk and trace over 
the file name if you can't type the left bracket ( [ ) from your 
keyboard: 

LOAD GRAFIX PART 11 
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GRAF IX PART ] [ is the main program which contains a number of 
excellent routines. 

I 12 | Make the following modification to GRAF IX PART ][ 
before resaving it: Enter a line to kill the volume number check: 

195 LM = 

Remove from the beginning of lines 990 and 1750 a command which 
will trash the DOS warm-start routine: 

: POKE -25150,18: 

Replace line 880 with the following line: 

88©NORMAL:TEXT:HOME:PRINTCHR$(4);"FP" 

I 13 | Check your work and then resave the program. The brackets 
in the file name will be replaced with I's. Again, you may have 
to CATALOG and trace over the file name: 

DELETE GRAFIX PART II 
SAVE GRAFIX PART II 

I 14 I The remainder of the files do not need to be modified, but 
we will LOAD, DELETE and reSAVE them all so that a 
CATALOG will show the proper file sizes: 

BLOAD GRAFIX.INFO 

DELETE GRAFIX.INFO 

BSAVE GRAFIX.INFO,A$800,L$4D5 

The next binary file overwrites its own buffer at the default 
MAXFILES of 3, so: 

MAXFILES 1 

BLOAD GRAFIX.OBJ 

DELETE GRAFIX.OBJ 

BSAVE GRAFIX.OBJ,A$90eO,L$94D 

FP 

Final Comments 

You now have a fully functioning, deprotected Zoom Grafix which 
you can list, examine, and modify. 

GRAFIX PART ] [ is the main program; it pokes in two short 
machine language routines from 926-935 and 936-973 (the latter 
switches hi-res screens). 

GRAFIX. INFO contains set-up parameters as used by GRAFIX 
SET-UP. These parameters are ultimately passed to GRAFIX. OBJ. The 
latter performs the actual printing tasks, as well as screen flipping 
and other duties. 

The deleted program GRAF IX is a loader which is so full of traps 
it's best replaced by the program which we called ZOOM LOADER. 
Note that the loader resets the Applesoft start-of-program pointers 
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to $6000, so that GRAF IX SET-UP and GRAF IX PART] [ load above 
hi-res page 2 (from 24577 to 34016). We closed our exit routines 
with FP so that these pointers and MAXFILES would be normalized 
on exit from the program; if you I reset] out of either program, 
remember that these are left abnormal. 

If your deprotected program seems to run but won't actually print, 
it is probably because you haven't properly run the set-up routines. 
As I mentioned before, those of you who have a different version 
than mine (9APR82) will have to list the programs and find the 
appropriate changes to make. 

A final enhancement 

Zoom Grafix has an undocumented feature. If you enter a question 
mark (?) when the initial screen is displayed, (It will say: MAKE 
SURE PRINTER IS READY THEN PRESS RETURN TO GO ON, 
a date will appear on the screen, presumably the date-of- 
manufacture. You can change this to whatever date you like with 
the following method: 

MAXFILES 1 

BLOAD GRAFIX. OBJ 

POKE 36926, first number (month) 

POKE 36927, second number (day) 

POKE 36928, third number (last two digits of year) 

BSAVE GRAFIX. OBJ, A$9000,L$94D 

FP 



S 
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Breaking 

Locksmith 5.0 

Fast Copy 



Putting Locksmith 5.0 Fast Copy 
Into A Normal Binary File 

by C. V. Fields 
(Hardcore COMPUTIST # 14, page 15) 



Requirements: 

Locksmith 5.0, Rev F 

A way to reset into the Apple Monitor 

A blank disk 



In the past, I have seen two procedures for placing the 16 
SECTOR FAST DISK BACKUP portion of Locksmith 5.0 into 
a normal binary file that you can BRUN. However, neither 
procedure was easy to follow and both required that you write 
memory move routines and save memory from Page through the 
end of the program. This method resulted in a program that was 
much longer than necessary, in addition to the procedures being 
difficult to follow. 

Most readers of this magazine should be able to follow this 
procedure which will produce a 46-sector BRUNable version of the 
fast copy program. It may be a problem for some readers to enter 
the Apple Monitor at just the right time. I use a Replay card, but 
several methods should work, for example: the Old Monitor ROM 
or moving your RAM card to Slot 1 (See Chris Rys' softkey for 
Sensible Speller in The Book Of Softkeys Volume II page 75 
or Hardcore COMPUTIST # 9). 

What follows is a narrative of what I did. Those of you who can't 
wait or don't care about the detail can skip to the step-by-step 
procedure. 

I first stored $11 in all memory locations from $0800 through 
$95FF so I could determine where the program loads: 
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CALL - 151 
N 800:11 
801<800.95FFM 

I then booted LS 5.0 and selected the 16 SECTOR FAST DISK 
BACKUP from the utility menu. The instant the disk drive light went 
out I pressed the button on my Replay card and then selected M 
to go into the Apple Monitor. A quick scan of memory, 800.BFFF, 
showed that the program extended from approximately $800 through 
$3FFF, although some of the code was suspect. There was also some 
code above $8000 that is moved there during the program 
initialization and is not needed as part of the binary file we will save. 

Because page $60 was empty, I moved Page $8 there so I could 
boot a DOS 3.3 slave disk: 

6000<800.8FFM 

I then booted a DOS 3.3 slave disk, with the HELLO deleted, and 
went back to the Monitor so I could move page $8 back down to 
where it belongs: 

CALL - 151 
800<6000.60FFM 

Then I saved the file with: 

BSAVE LS 5.0 FAST COPY,A$800,L$3800 

Now, I knew this file wouldn't work 'as is' because when you 
BRUN a program, DOS BLOADs it and then JuMPs to the starting 
address. So the next thing I had to do was locate the entry point 
of the program so I could put a jump to it at the beginning of the file. 

I used the Inspector/Watson utility to examine the code. If you 
BLOAD the file and then step through the buffers on 
Inspector/Watson, you can view the program in memory with all 
the ASCII text identified. As I scanned the program, I made notes 
on likely starting points, where all the ASCII text was located and 
possible code at the beginning and end that could be eliminated. 

I then started testing the entry points that I had on my list. As 
luck would have it, one of the first points I tested, $2002, bombed 
me into Zero Page (sometimes a bomb means luck) at an address 
of $AB. Since the Monitor shows the address two steps beyond the 
break I subtracted $2 and booted the original LS 5.0 disk again. 
After it loaded I used the Replay card to check location $A9 and 
found a $60, which is a 'ReTurn from Subroutine' instruction. 

Again I BLOADed my test file and this time I went into the 
monitor and placed a $60 at $A9 before I typed 2002G. Much to 
my surprise, it worked perfectly. 

As I said earlier, some of the code looked unnecessary to the 
program so I started cutting off the suspect code a page at a time 
and testing the program until I determined that only Pages $0A 
through $36 were required. There was also enough room at the 
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beginning of Page $0A for our starting code and at the end of Page 
$36 so we could cut to an even full sector. When you BSAVE a 
file, the starting address and length are saved at the beginning of 
the first sector. This extends the code by 4 bytes. The length then 
becomes $36FF - $A00 = $2CFF and $2CFF - $4 = $2CFB. The 
code will, therefore, take up $2D or 45 sectors. Add one sector 
for a track/sector list, and a total of 46 sectors will be needed. 

After some code searching, I also discovered that the slot number 
for all the copying is stored at location $A4B. Adding this to the 
fact that there is some free space at the beginning of page $A, I 
wrote a little startup routine that will allow you to change slot 
numbers. Using this routine you can place the 16 SECTOR FAST 
BACKUP file on a hard disk. 

Therefore, to put your 16 SECTOR FAST BACKUP in a normal 
DOS 3.3 file, follow these steps: 

Step-By-Step Procedure 

I 1 1 Init a DOS 3.3 slave disk and delete the HELLO program. 
I recommend one of the rapid DOS programs such as Diversi-DOS, 
ProntoDOS or my favorite, RapiDOS II. 

INIT HELLO 
DELETE HELLO 

I 2j Boot your original of Locksmith 5.0, Rev F, and select the 

16 SECTOR FAST DISK BACKUP from the utility menu. 

I 3| The instant the disk drive light goes out (while loading the 
Fast Disk Backup) exit to the Apple Monitor using your favorite 
method. 

I 4| Boot your DOS 3.3 slave disk (Note: Since Page $8 is not 
needed, we don't have to move it out of the way): 

6EB 



5 | Enter the Monitor and key in the following hexdump: 



CALL -151 



0A0O 
0A08 
0A10 
0A18 
0A20 
0A28 
0A30 
0A38 
0A40 



20 58 FC A9 2C A2 0C 20 

35 OA A9 08 85 25 20 24 

FC A9 56 A2 11 20 35 0A 

A0 05 84 24 20 0C FD 91 

28 C9 B9 B0 F7 C9 Bl 90 

F3 E9 BO 8D 4B 0A A9 60 

85 A9 4C 02 20 85 FE 86 

FF A0 00 Bl FE F0 05 91 

28 C8 DO F7 60 
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I 6 | Check your typing against thi 


0A00- 20 58 FC 


JSR $FC58 


0A03- A9 2C 


LDA #$2C 


0A05- A2 0C 


LDX #$0C 


0A07- 20 35 0A 


JSR $0A35 


0A0A- A9 08 


LDA #$08 


0A0C- 85 25 


STA $25 


0A0E- 20 24 FC 


JSR $FC24 


0A11- A9 56 


LDA #$56 


0A13- A2 11 


LDX #$11 


0A15- 20 35 0A 


JSR $0A35 


0A18- A0 05 


LDY #$05 


0A1A- 84 24 


STY $24 


0A1C- 20 0C FD 


JSR $FD0C 


0A1F- 91 28 


STA ($28), Y 


0A21- C9 B9 


CMP #$B9 


0A23- B0 F7 


BCS $0A1C 


0A25- C9 Bl 


CMP #$B1 


0A27- 90 F3 


BCC $0A1C 


0A29- E9 B0 


SBC #$B0 


0A2B- 8D 4B 0A 


STA $0A4B 


0A2E- A9 60 


LDA #$60 


0A30- 85 A9 


STA $A9 


0A32- 4C 02 20 


JMP $2002 


0A35- 85 FE 


STA $FE 


0A37- 86 FF 


STX $FF 


0A39- A0 00 


LDY #$00 


0A3B- Bl FE 


LDA ($FE),Y 


0A3D- F0 05 


BEQ $0A44 


0A3F- 91 28 


STA ($28) ,Y 


0A41- C8 


INY 


0A42- D0 F7 


BNE $0A3B 


0A44- 60 


RTS 



This code will set up the display on the text screen, get the slot 
number and place it at $A4B, and store a $60 at $A9 before 
performing the aforementioned JMP $2002. 

| 7 | Make a couple of modifications to the main program so that 
it works with the previous hexdump, then save it: 

2005:20 78 12 

2008: AD 43 OB FO OD 4C 1C OA 

1B13:EA EA EA 

B60:00 

BSAVE FAST COPY.LS, A$A00,L$2CFB 

You should now have a 46-sector, working copy of this great fast 
copy utility. 



i 
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CSaver 



The Advanced Way To Store 
Super IOB Controllers 

by Ray Darrah 
(Hardcore COMPUTIST # 13, page 16) 



Requirements: 

Apple ][ with Applesoft in ROM 
16K RAM (or language) card 
DOS 3.3 (not PRODOS) 

After reading Ken Burnell's letter in Hardcore COMPUTIST 
#12, I realized that saving Super IOB controllers with The 
Controller Saver from The Book Of Softkeys Volume II page 
146 (Hardcore COMPUTIST # 10) isn't as convenient as: 

&Holding 

and 

&Merging 

them. Therefore, I wrote CSAVER (pronounced "SEE SAVER" ) 
which adds the capability of holding programs and merging them. 

Typing It In 

Entering the CSAVER is quite simple. Merely type in the hexdump 
at the end of this article and: 

BSAVE CSAVER, A$4000,L$1 11 

To install the CSAVER, type: 

BRUN CSAVER 

It will appear as if nothing has happened to your precious 
computer but, in fact, all kinds of strange and wondrous events have 
occurred: Your entire language card has been filled with the image 
of your Applesoft ROMS; a small routine that hides and merges 
programs has been relocated into page $F7 of your language card; 
a short routine that calls the hider and merger at $F700 has been 
placed in the end of page three; and the ampersand has been 
revectored to the short page three routine. 
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How To Use The CSAVER 

Once CSAVER has been installed, you should LOAD (yes, an 
Applesoft file) the controller and then type: 
&H 

This will put the controller on 'hold', allow you to LOAD Super 
IOB, and finally let you should merge the programs by typing: 
&M 

It is important to note that when the two programs are merged, 
the one on 'hold' takes precedence over the one LOADed second. 
That is: Lines of the program just LOADed will be overwritten (by 
the program on 'hold') when the line numbers are the same. 

CSAVER will work on most programs that you wish to merge. 
Just be sure to first LOAD the program you wish to have precedence. 
Note: Remember to use FP when clearing Applesoft programs when 
CSAVER is installed, not NEW. 

The Inner Workings 

Those of you who get a little queasy when the conversation swings 
toward machine language might avoid some discomfort by skipping 
the following text: 

When CSAVER is BRUN, the ampersand JuMP vector is set to 
$3B5. Next, memory locations $403D through $4057 are copied 
into locations $3B5 through $3CF. Third, the code from $401A 
through $4032 copies the Applesoft ROMs into the language card. 
The last thing to happen is that the main routines of the CSAVER 
(locations $4058 through $4110) are copied into the language card 
starting at $F700. This area is usually occupied by the hi-res routines 
HPLOT, ROT= and XDRAW etc. But since CSAVER' s main 
routines don't use any hi-res routines while holding or merging 
programs, they can occupy that area. 

An Encountered Ampersand 

When the Applesoft interpreter comes across the ampersand, it 
reads one more character (from the input line or BASIC program) 
into the A-register and JuMPs to address $3F5. 

The routine at $3F5 (placed there after CSAVER is BRUN) 
switches the RAM card so that it is just like RAM (you can read 
from and write to it) and then JuMPs to $F700 which is the entry 
to the main routines of the CSAVER. The enabling of the language 
card in this manner is .necessary because of a routine at $F776 that 
is like the CHRGET routine (at location $00B1) used by Applesoft. 

The remainder of the routines in page 3 are used by CSAVER 
as exits. All of them start by disabling the language card and then 
(depending upon which exit) they JuMP to the final routines used 
by CSAVER. 
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The CSAVER Main Routines 

First of all, CSAVER tests to see if a 'hold' was specified. If not, 
execution continues at $F72E. 

The Hold Routine 

If a 'hold' was specified, then the code at $F704 through $F712 
makes sure that the beginning of program is set $801 (i.e. a program 
has not already been hidden). If the program pointer isn't set to $801 , 
then CSAVER exits via ERROR (at $3BE) which disconnects the 
language card and JuMPs to $FBE2 (the Monitor bell routine). 
Assuming the beginning of program pointer is set correctly, 
CSAVER then stores a $801 into the fake CHRGET routine at $F776. 
Next, it sets the beginning of program pointer equal to the end of 
program pointer and simultaneously calculates the length of the 
program and stores the answer in $FE and $FF. Finally, the hold 
routine exits via EXIT. HOLD (at $3C4) which disconnects the 
language card and JuMPs to the Applesoft NEW routine (at $D64B). 

The Merge Routine 

The code at $F72E through $F731 makes sure that a merge was 
specified. If not, execution goes to the ERROR routine. If a merge 
was specified, then the code at $F732 through $F73D makes sure 
that the beginning of program pointer is not set to $801. If it is, 
CSAVER exits via ERROR. Otherwise, the pointer to the start of 
variables is set equal to the end of program pointer. This has the 
effect of erasing all numeric variables and is necessary for the 
ENTER.LINE routine called later. 

Next, CSAVER sets the COUT vector to point to DO. 1 .LIN. This 
must be done because the ENTER.LINE routine doesn't end with 
a RTS. Instead, it prints a prompt and waits for another line to enter. 
Therefore, by setting the COUT vector to DO. 1. LIN as soon as 
ENTER.LINE prints the prompt, CSAVER takes over again. 

The two PLA instructions at the beginning are meant to remove 
the JSR to COUT (in order to print the prompt) but eliminate the 
JSR to the Applesoft command handler the first time through. The 
two JSRs to CHRGET get the line link pointer. If the MSB is zero, 
then we have merged the whole program and execution continues 
at DONE.MERGE. 

If the MSB wasn't zero, then DO. 1. LIN sets the entry conditions 
for ENTER.LINE by making LINNUM equal to the line number 
we wish to enter, putting the tokenized line in the input buffer and 
setting register Y to 5 more than the length of the line. ENTER.LINE 
enters the tokenized line just as if you typed it. 

CHRGET gets a byte from the program on 'hold', increments 
its pointer, and returns. 

DONE.MERGE starts by setting the beginning of program pointer 
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back to $801 and then moves the merged program back to $801 
via the Monitor MOVE routine. It does a PR#0 (JSR SETVID) so 
that the COUT vector is fixed and then reconnects DOS. Next, it 
fixes the start of variables pointer by subtracting the length from 
the end of program pointer. Last, it exits via EXIT. MERGE which 
disconnects the language card and then JuMPs to a routine in 
Applesoft which fixes the line number link numbers. 
That's all there is to hiding and merging programs. 



CSAVER Hexdump 


4000: 


A9 


4C 


8D 


F5 


03 


A9 


B5 8D 


4008: 


F6 


03 


A9 


03 


8D 


F7 


03 A2 


4010: 


1A 


BD 


3F 


40 


9D 


B5 


03 CA 


4018: 


10 


F7 


AD 


81 


C0 


AD 


81 C0 


4020: 


A2 


00 


BD 


00 


D0 


9D 


00 D0 


4028: 


E8 


D0 


F7 


EE 


24 


40 


EE 27 


4030: 


40 


D0 


EF 


BD 


5A 


40 


9D 00 


4038: 


F7 


E8 


E0 


B7 


D0 


F5 


60 AE 


4040: 


83 


C0 


AE 


83 


C0 


4C 


00 F7 


4048: 


AD 


82 


C0 


4C 


E2 


FB 


AD 82 


4050: 


C0 


4C 


4B 


D6 


AD 


82 


C0 4C 


4058: 


F2 


D4 


C9 


48 


D0 


2A 


A5 67 


4060: 


C9 


01 


F0 


03 


4C 


BE 


03 A4 


4068: 


68 


C0 


08 


D0 


F7 


8D 


77 F7 


4070: 


8C 


78 


F7 


A5 


AF 


85 


67 38 


4078: 


E9 


01 


85 


FE 


A5 


B0 


85 68 


4080: 


E9 


08 


85 


FF 


18 


4C 


C4 03 


4088: 


C9 


4D 


D0 


D8 


A5 


67 


C9 01 


4090: 


D0 


06 


A5 


68 


C9 


08 


F0 CC 


4098: 


A5 


AF 


85 


69 


A5 


B0 


85 6A 


40A0: 


A9 


4E 


85 


36 


A9 


F7 


85 37 


40A8: 


68 


68 


20 


76 


F7 


20 


76 F7 


40B0: 


AA 


F0 


29 


20 


76 


F7 


85 50 


40B8: 


20 


76 


F7 


85 


51 


A0 


00 20 


40C0: 


76 


F7 


99 


00 


02 


C8 


AA D0 


40C8: 


F6 


C8 


C8 


C8 


C8 


4C 


6A D4 


40D0: 


AD 


FF 


FF 


EE 


77 


F7 


D0 03 


40D8: 


EE 


78 


F7 


60 


A5 


67 


85 3C 


40E0: 


A5 


68 


85 


3D 


A9 


01 


85 67 


40E8: 


85 


42 


A9 


08 


85 


43 


85 68 


40F0: 


A5 


AF 


85 


3E 


A5 


B0 


85 3F 


40F8: 


20 


2C 


FE 


20 


93 


FE 


20 EA 


4100: 


03 


38 


A5 


AF 


E5 


FE 


85 69 


4108: 


A5 


B0 


E5 


FF 


85 


6A 


4C CA 


4110: 


03 
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CSAVER Source Code 


03F5 


AMP.VEC 


.EQ $3F5 


& command handler 


FBE2 


BELL 


.EQ $FBE2 




0067 


PRG.BEG 


.EQ $67 


program beginning pointer 


00AF 


PRG.END 


.EQ $AF 


end of program pointer 


D64B 


NEW 


.EQ $D64B 


routine that does a new 


0069 


VARTAB 


.EQ $69 


pointer to start of variables 


0036 


COUT.VEC 


.EQ $36 


location that point to output 
routine 


0050 


LINNUM 


.EQ $50 


used to determine the 1 ine we 
are on right now 


0200 


BUFF 


.EQ $200 


Input buffer 


D46A 


ENTER. LINE 


.EQ $D46A 




00B8 


TXT.PTR 


.EQ $B8 




003C 


Al 


.EQ $3C 


Move from 


003E 


A2 


.EQ $3E 


Move to 


0042 


A4 


.EQ $42 


Move into 


FE2C 


MOVE 


.EQ $FE2C 


Monitor move routine 


D4F2 


FIX. LINKS 


.EQ $D4F2 


fixes the 1 ine number 1 ink bytes 


FE93 


SET.VID 


.EQ $FE93 


Routine that does a PR#0 


00FE 


LEN 


.EQ $FE 


Length of hidden program 


C080 


RD.RAM 


.EQ $C080 


Read Language card 


C082 


RD.ROM 


.EQ $C082 


Read ROMS 


C083 


RD. WR.RAM 


.EQ $C083 


RAMat ize language card 


C081 


WR.RAM 


.EQ $C081 


Read ROM, Write RAM 


F700 


CSAVE1 


.EQ $F700 


CSAVE is moved to here 


* 




.OR $4000 


out of the way 


* HOOK UP THE AMPERSAND LOCATION 


4000 




LDA #$4C 


a JMP instr 


4002 




STA AMP.VEC 




4005 




LDA #$3D0- END 


. AMP+BEG.AMP 


4007 




STA AMP.VEC+1 


Make Ampersand 


400A 




LDA /$3D0- END 


.AMP+BEG.AMP 


400C 




STA AMP.VEC+2 


Start of program 


* PUT AMPERSAND JUMP ROUT 1 NE 1 NTO PAGE 3 

* 



400F LDX # END. AMP- BEG. AMP- 1 

4011 MOVE. AMP LDA BEG. AMP, X 

4014 STA $3D0 - END. AMP+BEG.AMP.X 

4017 DEX 

4018 BPL MOVE. AMP 

* 

s MOVE THE CSAVE ROUT I NE I NTO THE RAM CARD 

* 

401A LDA WR.RAM 
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401D 


LDA WR.RAM 


twice! 


4020 


LDX #0 


Start at zero 


4022 COPY. ROM 


LDA $D000,X 


Move ROM into 


4025 


STA $D000,X 


RAMcard 


4028 


INX 




4029 


BNE COPY. ROM 


Finish page 


402B 


INC COPY.ROM+2 


Next page 


402E 


INC COPY.ROM+5 


LDA and STA 


4031 


BNE COPY. ROM 


Not done! 


4033 MOVE. CSV 


LDA CSAVE ,X 


Move CSAVE 


4036 


STA CSAVE 1,X 


into RAMcard 


4039 


INX 


Next byte 


403A 


CPX #END. CSAVE 


-$F700 


403C 


BNE MOVE. CSV 


unti 1 done 


403E 

* 


RTS 




* DO A HIDE OR MERGE 


403F BEG. AMP 


LDX RD.WR.RAM 


RAMcard on 


4042 


LDX RD.WR.RAM 


twice! 


4045 


J MP CSAVE 1 


Perform function 


03BE ERROR 


,EQ $3BE 




4048 


LDA RD.ROM 




404B 


JMP BELL 


Beep! 


03C4 EX IT. HOLD 


,EQ $3C4 




404E 


LDA RD.ROM 




4051 


JMP NEW 




03CA EX IT. MERGE 


i .EQ $3CA 




4054 


LDA RD.ROM 




4057 


JMP FIX. LINKS 




END. AMP 






'START OF CSAVE ROUTINES 

* 




.OR $F700 






.TA $405A 




405A CSAVE 


.EQ $405A 




F700 


CMP #'H 




F702 

* 


BNE M.CMP 


not an H so try M 


* HOLD THE CONTROLLER 

* 


F704 


LDA PRG.BEG 


Make sure program 


F706 


CMP #1 


pointer is at $801 


F708 


BEQ TRY. MSB 


o.k. so far 


F70A HOLD. ERR 


JMP ERROR 


Error! 


F70D TRY. MSB 


LDY PRG.BEG+1 


See i f i t i s 8 


F70F 


CPY #8 


Y, not A because of merge store 


F711 


BNE HOLD. ERR 


No, error 



136 The Book Of Softkeys Volume III 



F713 




STA CHRGET+1 


for merge later 


F716 




STY CHRGET+2 


CHRGET to get at $801 


F719 


HOLD 


LDA PRG.END 


Make start of program 


F71B 




STA PRG.BEG 


equal to current end of program 


F71D 




SEC 




F71E 




SBC #1 


Find length of progr 


F720 




STA LEN 




F722 




LDA PRG.END+1 




F724 




STA PRG.BEG+1 




F726 




SBC #8 


Finding length 


F728 




STA LEN+1 




F72A 




CLC 




F72B 

* 




JMP EX IT. HOLD 


and do a new 


* TRY FOR MERGE 

* 


F72E 


M.CMP 


CMP #'M 




F730 




BNE HOLD. ERR 


not M either, error! 


4 DO THE MERGE 

* 


F732 




LDA PRG.BEG 


Make sure 


F734 




CMP #1 


a program is 


F736 




BNE DO. MERGE 


on hold 


F738 




LDA PRG.BEG+1 




F73A 




CMP #8 




F73C 




BEQ HOLD. ERR 


Nope! 


F73E 


DO. MERGE 


LDA PRG.END 


Squash variable 


F740 




STA VARTAB 


table 


F742 




LDA PRG.END+1 




F744 




STA VARTAB+1 




F746 




LDA #D0.1.LIN 


point COUT toO DO. 1. LIN 


F748 




STA COUT.VEC 


so that when 


F74A 




LDA /DO. 1. LIN 


finished, 


F74C 

* 




STA COUT.VEC+l 


do next one 


* DO ONE LINE 


F74E 


DO. 1. LIN 


PLA 


pop off JSR 


F74F 




PLA 




F750 




JSR CHRGET 


skipLSB link 


F753 




JSR CHRGET 


Get MSB 


F756 




TAX 




F757 




BEQ DONE. MERGE 


when LINK=0, done 


F759 




JSR CHRGET 


get LINNUMBER 


F75C 




STA LINNUM 




F75E 




JSR CHRGET 




F761 




STA LINNUM+1 




F763 




LDY #0 


Fi 1 1 input buffer 
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F765 


.2 


JSR CHRGET 




F768 




STA BUFF.Y 




F76B 




INY 




F76C 




TAX 


End of 1 ine? 


F76D 




BNE .2 


Nope, move next byte 


F76F 




INY 


Ymust equal EOL+5 


F770 




INY 


for the enter 1 ine 


F771 




INY 


routine 


F772 




INY 




F773 




JMP ENTER. LINE 


Put this 1 ine in the program 


F776 


CHRGET 


LDA $FFFF 


Dummy number 


F779 




INC CHRGET+1 




F77C 




BNE .1 




F77E 




INC CHRGET+2 




F781 


.1 


RTS 




* FINISH MERGE 




DONE. MERGE 






F782 




LDA PRG.BEG 


Move program 


F784 




STA Al 




F786 




LDA PRG.BEG+1 


back to $801 


F788 




STA Al+1 




F78A 




LDA #1 




F78C 




STA PRG.BEG 




F78E 




STA A4 




F790 




LDA #8 




F792 




STA A4+1 




F794 




STA PRG.BEG+1 




F796 




LDA PRG.END 




F798 




STA A2 




F79A 




LDA PRG.END+1 




F79C 




STA A2+1 




F79E 




JSR MOVE 


Move it down! 


F7A1 




JSR SET.VID 


PR#0 


F7A4 




JSR $3EA 


Reconnect DOS 


F7A7 




SEC 


Move program end down 


F7A8 




LDA PRG.END 




F7AA 




SBC LEN 




F7AC 




STA VARTAB 




F7AE 




LDA PRG.END+1 




F7B0 




SBC LEN+1 




F7B2 




STA VARTAB+1 




F7B4 


END.CSAVE 


JMP EX IT. MERGE 
1 


Exit via FIX. LINKS 
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The CORE 
Disk Searcher 



by Bryce L. Fowler & Ray Darrah 
(Hardcore COMPUTIST # 12, page 19) 



Requirements: 

48K Apple ][ with Applesoft 
DOS 3.3 (not PRODOS) 



Hardcore COMPUTIST publishes some softkeys that involve 
finding one or more specific bytes on a disk. Often, for one reason 
or another, the location of these bytes is not known. In these softkeys 
a disk search utility is required. For those who don't have a program 
with this capability, I wish to present The CORE Disk Searcher. 

The CORE Disk Searcher (CDS) will search an entire disk in just 
over a minute and a half for one string of input. CDS will display 
the track, sector and starting byte where each search string is found. 
Provisions have been made to allow for searching less than the entire 
disk, searching hard disks, scanning protected disks and skipping 
tracks or sectors. 

Type in the BASIC program listing at the end of this article and: 

SAVE CORE DISK SEARCHER 

Next, type in the hexdump at the end of this article and: 
BSAVE SEARCH.OBJ,A$2F8,L$B9 

Using The Program 

When CDS is RUN, you will first be prompted whether to make 
any DOS ALTERATIONS or not. If you type a (£), then you may 
change the address marks, data marks and the option to ignore the 
checksum or not. If you place a 00 in any of the input string, then 
that byte is considered ignored. An example would be if you wanted 
to ignore the second byte of the address start marker you would 
change the string to D50096. This feature allows you to search even 
some protected diskettes. 

Next, you will be prompted for the DISK SLOT and DRIVE 
numbers where the disk to be searched will be placed. To enter the 
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default values of the last accessed disk, you merely press I return | . 
Third, you will be prompted for the high track, low track and 
track step. The HIGH TRACK is the highest track you wish to be 
searched. The LOW TRACK is the lowest track you wish searched. 
The TRACK STEP is a whole number that determines whether or 
not to skip any tracks. A track step of one will evenly search every 
track. But a track step of two will skip every other track. 

A Word About The Inputs 

The input values in CDS aren't checked very thoroughly (so as 
to work on drives with more tracks or sectors etc.) so be sure that 
you enter them correctly. Note: All values in this program are 
hexadecimal unless otherwise noted. When two digits are displayed 
as the default and you must type a preceding zero if you wish to 
change it to a one digit number (ex. type 0E for a high track of 
$E). Pressing I return | in the middle of a hexadecimal string will not 
truncate it at the cursor position. However, pressing I return | in the 
middle of an ASCII string will. 

Next you are asked for the HIGH SECTOR, LOW SECTOR and 
SECTOR STEP. These are similar to the track prompts preceding 
them except these deal with sectors instead of tracks. 

This is followed by the SLOT FOR PRINTOUT. A zero will print 
the search results to the screen. Any other number will attempt to 
print the results to a printer in the corresponding slot. If you select 
a slot other than zero, be sure your printer is ON before continuing. 

The Wildcard 

Next, you will be asked if you wish a wildcard or not. If you 
answer (T]> then the hexadecimal value of this wildcard must be 
input. If this wildcard is contained in any of the search strings, that 
byte in the string will match any byte on the disk. 

Entering The Search Strings 

Finally, you will be asked to enter the strings to search for. There 
are three types of search strings (displayed at the top of the screen). 
They are LOW ASCII, HIGH ASCII and HEXADECIMAL. CDS 
will first ask you for the type of string that is to follow: 
You may press a: quote CD for high ASCII 

apostrophe □ for low ASCII 
dollar sign SD for hexadecimal. 

After the type indicator, you may enter the string to search for. 
Up to eighty search strings may be entered. This should 
be more than enough for your searching needs. When you finish 
entering all the search strings, press I return | when asked for the 
type of string. 
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Pausing 

CDS will automatically pause every time it finds a search string. 
To get it going again, press any key. To stop CDS from pausing, 

press the (He). 

The Assembly Language Subroutine 

The machine language portion of the CORE Disk Searcher is rather 
unique. When it is BRUN, SEARCH. OBJ hooks itself up to the now- 
famous ampersand (&) vector. Once hooked up, you pass it 
commands in the form & X,Y,Z where X and Y are the track and 
sector numbers (respectively) of the sector to be searched, and Z 
is the number of strings to compare. As soon as Applesoft encounters 
this statement, SEARCH. OBJ will read the specified track and sector 
(into the input buffer ($200— $2FF)) and then compare Z number 
of strings (starting with string 0) in the first dimensioned array. 
Therefore, the array that is dimensioned first must be one 
dimensional and must be set to the strings you wish to search for. 
In the BASIC program, this is F$. 

If you wish to use a wildcard value in the search, you must place 
a number greater than 127 in location 249 ($F9) and the value of 
the wildcard in location 250 ($FA). 

When SEARCH. OBJ returns (to whomever called it), location will 
be incremented if a string has been found and decremented if a disk 
error has occurred. If a string has been matched, location 1 holds 
the byte position in the sector where the string starts and location 
255 ($FF) holds information about which string it was. 

If a string has been found, then another ampersand must not be 
performed. Instead, a CALL to the 'Continue Scanning' part of the 
program must occur in order to continue the search. 

Closing Notes 

Few provisions have been made for error handling. This was done 
in the BASIC program to ensure compatibility with a wide range 
of off-line mass storage devices, and in the Assembly program 
because I wanted it to fit into page 3. 

Boink! 

I hate programs that don't have some element of humor in them. 
I program mostly for fun, and want my programs to reflect that. 
I have, therefore, included a humorous sound routine that is executed 
just prior to exiting the Applesoft program. The noise it makes 
sounds like its name, "Boink". You gamers out there might like 
to use this routine. It's relocatable and very friendly. 



The Book Of Softkeys Volume III 141 



Core Disk Searcher BASIC listing 

10 REM 

20 REM - THE CORE 

30 REM- DISK SEARCHER 

40 REM - 
50 REM - BY RAY DARRAH 

60 REM 

70 REM 

80 GOTO 380 

90 NF = - 1 : I F NS = Z THEN 800 

100 HOME : POKE 34 ,TW : PR# PR : PRINT : VTAB 3 

110 PRINT "CORE 4 DISK' SEARCHER" : PRINT : PRINT "STRINGS: " 

120 FORA = ZTONS -01 : PRINT A + 01 V"P$(A) ""-"" ; 

130 IF P$(A ) = F$(A ) THEN PRINT "LOW' ASCI I" : GOTO160 

140 IFASC (P$(A) ) =ASC(F$(A) ) - 128 THEN PRINT "HIGH" ASCI I " : 

GOTO 160 
150 PRINT "HEX" 

160 NEXT : PRINT : I F W$ < > " " THEN PRINT "Wl LDCARD" =>$ " W$ : PR I NT 
170 Y = PEEK (37 ) : POKE 249 ,W1 : POKE 250 ,W2 : FOR A = T2 TO Tl 

STEP - TS 
180 FOR B = SI TO S2 STEP SS : PR# Z : VTAB 01 : HTAB 01 
190 PR I NT "SCANNING" TRACK'" ; : POKE C2 ,A : CALL CI : PRINT"," 

SECTOR"" ; : POKE C2 , B 
200 CALL CI : POKE Z ,Z : & A ,B , NS : IF PEEK (Z ) = 255 THEN 300 
210 IF PEEK (Z ) = Z THEN NEXT : NEXT : POKE - 16368 ,Z : GOTO 370 
220 HTAB 01 : VTAB Y + 01 : PR# PR : NF = NF + 01 : IFNF/10O INT 

(NF / 10 ) THEN 240 
230 PRINT "STRING" SPC( 6 ) "TRACK" SPC( 6 ) "SECTOR" SPC( 6 ) 

"BYTE" 
240 PRINT """ "NS- PEEK (255) +01 TAB( 14); 
250 POKE C2 ,A : CALL CI : PRINTSPC( 8 ) ; : POKE C2 ,B 
260 CALL CI : PRINT SPC( 8 ) ; : POKE C2 , PEEK (01 ) : CALL CI : PRINT 

CM$; 
270 Y = PEEK (37 ) : IF PEEK (-16384) <> 155 THEN WAIT - 16384 ,128 
280 IF PEEK ( - 16384 ) <> 155 THEN POKE - 16368 ,Z 
290 POKE Z ,Z : CALL C3 : GOTO 210 
300 HOME : PRINT CHR$ (7 ) "SECTOR" UNREADABLE ! " : PRINT : PRINT 

"PROCEED" TO:" : PRINT 
310 PRINT "1)"NEXT" SECTOR" : PRINT "2) "BEG INNING" OF" PROGRAM" : 

PRINT "3) "BASIC" : PRINT 
320PRINT"°WHICH"?"CH$; 
330 GET A$ : IF A$ < "1" OR A$ > "3" THEN 330 
340 HOME : ON VAL (A$ ) GOTO 350 , 360 , 370 
350 POKE Z ,Z : GOTO 210 
360 RUN 
370 TEXT : CALL 922 : END 
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380 TEXT : NORMAL : SPEED= 255 : DIM F$(80 ) ,P$(80 ) ,HX$(15 ) 

,A0(9 ,2) 
390FORA = 0TO9 : READAD(A ,0) ,AD(A ,2) :HX$(A) = STR$ (A) : 

NEXT : FOR A = TO 5 
400HX$(A+10) =CHR$ (65 + A) : NEXT : IF PEEK (768) + PEEK (769) 

<> 155 THEN PRINT CHR$ (4) "BRUN A SEARCH. OBJ" 
410 FOR A = Z TO 8 :AD(A ,1) =AD(A,0) + TW :NEXT :AD(A ,1 ) =AD(A,0) 
420 CH$ = CHR$ (8 ) :CU$ = CHR$ (21 ) :CM$ = CHR$ (13 ) 
430 01 = 1 :Z = :TW = 2 :C1 = 912 : C2 = 918 :C3 = 905 : PR# Z : IN#Z : 

CALL 1002 
440 HOME : PRINT TAB ( 9 ) "THE 4 CORE 4 DISK 4 SEARCHER" 
450VTAB5 : PR I NT "DOS' ALTERAT I ONS=>N" CH$ ; 
460 GET A$ : I F A$ <> "Y" AND A$ <> "N" AND A$ <> CM$ THEN 460 
470 PRINT A$ : I F A$ = "N " OR A$ = CM$ THEN 590 
480 X = Z :Y = TW : GOSUB 1010 : VTAB 5 : PRINT "ADDRESS 4 START=>" ; : 

GOSUB 1080 
490 GOSUB 1040 :X = 3 :Y = 4 : GOSUB 1010 : PRINT "ADDRESS 4 END=>" ; : 

GOSUB 1080 
500 GOSUB 1040 :X = 5 :Y = 7 : GOSUB 1010 : PRINT 
510 PRINT "DATA 4 START=>" ; : GOSUB 1080 : GOSUB 1040 :X = 8 :Y = 9 : 

GOSUB 1010 
520 PRINT "DATA 4 END=>" ; : GOSUB 1080 : GOSUB 1040 
530 POKE 47422 ,201 : IF PEEK (47423 ) = Z THEN POKE 47422 ,41 
540 PRINT : PRINT " IGNORE 4 CHECKSUM=>N" CH$; : I F PEEK (47498) =Z 

THEN PRINT "Y" CHS; 
550 GET A$ : I F A$ <> "Y" AND A$ <> "N" AND A$ <> CM$ THEN 550 
560 I F A$ = CMS THEN PR I NT : GOTO 580 

570 PR I NT A$ : POKE 47498 , 183 : I F A$ = " Y" THEN POKE 47498 , Z 
580 PRINT 
590 PRINT "DISK'SLOT=>" ; : PS = STR$ ( PEEK (47081 )/ 16 ) : GOSUB 

1080 : GOSUB 1230 
600 I F R < 01 OR R > 7 THEN 590 
610 POKE 47081 ,R* 16 

620 PRINT "DRIVE=>" ; :P$ = STRS ( PEEK (47082 ) ) : GOSUB 1080 
630 IF P$ < "1" OR P$ > "9" THEN 620 
640 POKE 47082 , VAL (P$ ) : PRINT 

650 PRINT "HIGH a TRACK=>" ; : P$ = "22" : GOSUB 1080 : GOSUB 1230 
660 T2 = R : I F T2 < Z OR T2 > 35 THEN 650 
670 PRINT "LOW 4 TRACK=>" ; :P$ = "00" : GOSUB1080 : GOSUB1230 
680 Tl = R : I F Tl < Z OR Tl > T2 THEN 670 
690 PRINT "TRACK 4 STEP=>" ; :P$ = "01" : GOSUB1080 : GOSUB1230 
700 TS = R : I F TS < 01 THEN 690 
710 PRINT 

720PRINT"HIGH 4 SECTOR=>" ; :P$="0F" : GOSUB 1080 : GOSUB 1230 
730 S2 = R : IF S2 < Z THEN 720 

740 PRINT" LOW 4 SECTOR=>" ; :P$ = "00" : GOSUB 1080 : GOSUB 1230 
750 SI = R : IF SI < Z OR SI > S2 THEN 740 

760 PRINT "SECTOR 4 STEP=>" ; : P$ = "01" :GOSUB1080 : GOSUB1230 :SS=R 
770 PRINT 
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780 PRINT "SLOT" FOR"PRINTOUT=>" ; :P$= "0" : GOSUB1080 : GOSUB1230 

790 PR = R : I F PR > 7 THEN 780 

800 HOME : PRINT SPC( 13 ) "SEARCH" STRINGS" CM$ : PR I NT " USE" A" 

WILDCARD?=>N"CHS; 
810 P$="" :W1 = Z : GETA$ : PRINT A$ : IF A$ <> "Y" THEN 830 
820 PRINT "WILDCARD 4 VALUE" =>$" ; :P$ = "00" : GOSUB 1080 :W1 = 128 ■ 

GOSUB1230 :W2 = R 
830W$ = P$ : PRINT : PRINT "'"=" LOW" ASCII " : PRINT CHR$ (34 ) ""=" 

HIGH" ASCI I" :NS = Z 
840 PR I NT "$"="HEX" : PRINT "<CR>'=" NO" MORE" STRINGS" 
850 PRINT : PRINT "TYPE"OF"STRING=>" ; :GETA$ 
860 I F A$ <> CHR$ (34 ) AND A$ <> "$" AND A$ <> AND A$ < > CM$ 

THEN 850 
870 IF A$ = CM$ THEN 90 
880 PRINT A$ : IF A$ <> "$" THEN 940 
890 P$= """" : FORA = 01T04 :P$ = P$ + P$ : NEXT : GOSUB 1080 
900 P$(NS ) = P$ : FOR A = LEN (P$(NS ) ) TO 01 STEP - 01 
910 IF MID$ (P$(NS) ,A ,01 ) = """THEN NEXT: GOTO 850 
920P$(NS) = LEFTS (P$ ,A) :F$(NS ) = "" : FOR A = 01 TO LEN (P$(NS) 

) STEP TW 
930 P$ = MID$ (P$(NS) ,A ,TW) : GOSUB 1230 :F$(NS) = F$(NS) + CHR$ 

(R ) : NEXT A : GOTO 980 
940 INPUT "" ;P$(NS ) : IF P$(NS ) = "" THEN 850 

950 F$(NS ) =P$(NS) : I F A$ = THEN 980 

960 F$(NS ) = "" : FOR A = 01 TO LEN (P$(NS ) ) 

970 F$(NS ) =F$(NS) + CHR$ (ASC(MID$ (P$(NS) ,A ,01 ) ) + 128 ) : 

NEXT 
980 NS = NS + 01 : IF NS < 81 THEN 850 
990 GOTO 90 

1000 REM FORM P$ FROM ADDRESSES 
1010 P$= "" : FORA = XTOY : IFPEEK (AD(A ,01 ) ) =ZTHENP$ = P$ + 

"00" : NEXT : RETURN 
1020 R = PEEK (AD(A ,Z) ) :P$ = P$ + HX$( INT (R / 16 ) ) + HX$(R- 

INT (R / 16 ) s 16) : NEXT : RETURN 
1030 REM POKE P$ INTO ADDRESSES 
1040 A$ = P$ : FORA = XTOY :P$ = MID$ (A$ ,TW* (A - X ) +01 ,TW) : 

GOSUB 1230 
1050 IF R = Z THEN POKE AD (A ,01 ) ,Z : NEXT A : RETURN 
1060 POKE AD(A ,01 ) ,AD(A ,TW) : POKEAD(A ,Z) ,R : NEXT A : RETURN 
1070 REM INPUT HEX NUMBER 

1080 A = PEEK (36) : PRINT P$; : POKE 36 ,A : B = 01 :A = LEN(P$) 
1090 GET A$ : IF A$ = CM$ OR A$ = CHS OR A$ = CUS THEN 1170 
1100 IF B> (A) THEN 1090 

1110 IF (AS < "0" OR A$ > "9" ) AND (AS < "A" OR AS > "F" ) THEN 1090 
1120 IF B = 01 AND LEN (PS ) = 01 THEN P$ = AS : GOTO 1160 
1130 IF B = 01 THEN PS = A$ + RIGHTS (P$ ,A-01 ) : GOTO 1160 
1140 IF B = (A ) THEN PS = LEFTS (P$ ,A-01 ) +A$ : GOTO 1160 
1150 PS = LEFTS (PS ,B-01 ) + AS + RIGHTS (P$ ,A-B) 
1160 PRINT AS; :B = B + 01 : GOTO 1090 
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1 1 70 I F A$ = CMS THEN PR I NT : RETURN 

1180 I F A$ = CH$ AND B = 01 THEN 1090 

1190 IF A$ = CH$ THEN PRINT A$; : B = B - 01 : GOTO 1090 

1200 IF B > (A) THEN 1090 

1210 A$ = MID$ (P$ ,B ,01 ) : GOTO 1110 

1220 REM CONVERT P$ TO DECIMAL 

1230 R = Z : FOR B = LEN (P$ ) - 01 TO Z STEP - 01 : FOR C = Z TO 15 

1240 IFMIDS (P$ , LEN (P$ ) - B ,01 ) <> HX$(C ) THEN NEXT 

1250 R = R+ INT (16 * B * C) : NEXT B : RETURN 

1260 REM DATA FOR ALTERED MARKS 

1270 DATA 47445 ,240 ,47455 ,242 ,47466 ,231 

1280 DATA 47505 ,174 ,47515 ,164 

1290 DATA 47335 ,244 ,47345 ,242 ,47356 ,231 

1300 DATA 47413 ,10 ,47423 ,170 



Core Disk Searcher hexdump 

02F0: A9 00 8D F6 03 A9 03 8D 

02F8: F7 03 A9 4C 8D F5 03 60 

0300: 20 7B DD 20 F2 EB A5 Al 

0308: 8D EC B7 20 BE DE 20 7B 

0310: DD 20 F2 EB A5 Al 8D ED 

0318: B7 20 BE DE 20 7B DD 20 

0320: F2 EB A5 Al 85 FF A9 01 

0328: 8D F4 B7 A9 00 8D F0 B7 

0330: 8D EB B7 A9 02 8D Fl B7 

0338: 20 E3 03 20 D9 03 90 03 

0340: C6 00 60 A9 07 85 FE A4 

0348: FE Bl 6B 85 FD C8 Bl 6B 

0350: 85 FB C8 Bl 6B 85 FC C8 

0358: 84 FE A2 00 A0 00 Bl FB 

0360: 24 F9 10 04 C5 FA F0 0A 

0368: DD 00 02 F0 05 E8 D0 EC 

0370: F0 08 C8 C4 FD B0 08 E8 

0378: D0 E4 C6 FF D0 C9 60 E6 

0380: 00 E8 CA 88 D0 FC 86 01 

0388: 60 A6 01 E8 D0 CE F0 EA 

0390: A9 A4 20 ED FD A9 00 4C 

0398: DA FD A0 6E AD 30 C0 98 

03A0: 38 E9 01 D0 FB 88 D0 F4 

03A8: 60 
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Search. obj source code 


1000 


FRM.EVAL 


EO 


$DD7B 


Evaluates the BASIC expr 


1010 


AMP.VEC 


EQ 


$3F5 


BASIC JSRs here when it 
gets an & 


1020 


INT.CONV 


EQ 


$EBF2 


Converts FAC into an 
integer at $A0 and $A1 


1030 


COM.CHK 


EQ 


$DEBE 


Makes sure COMM as 
separate parameters 


1040 


RWTS 


EO 


$3D9 


Hooked to RWTS 


1050 


I0B.TRK 


EO 


$B7EC 


RWTS track parameter 


1060 


1 OB. SECT 


EQ 


$B7ED 


Sector number 


1070 


FIND.IOB 


EQ 


$3E3 


Loads Aand Ywith the 
add r- of the IOB 


1080 


I0B.BUF 


EQ 


$B7F0 


Pointer to user data 
buffer 


1090 


I0B.CMD 


EO 


$B7F4 


IOB command 


1100 


VAL 


EQ 


$A1 


Where INT.CONV stores its 
answer 


1110 


1 OB. VOL 


EQ 


$B7EB 


RWTS volume expected 


1120 


NUM. STRINGS 


EQ 


$FF 


Number of strings to 
match 


1130 


YSAVE 


EO 


$FE 


String currently on 


1140 


ARRAY. PTR 


EO 


$6B 


Points to start of arrays 


1150 


LEN 


EO 


$FD 


Length of current string 


1160 


STR.PTR 


EQ 


$FB 


And $FC point to current 
string 


1170 


WILD. CARD 


EQ 


$FA 


Wi Idcard character 


1180 


WILD. ON 


EQ 


$F9 


If B7=l Then wi Idcard 
character is val id 


1190 


BUFF 


EO 


$200 


Sector buffer 


1200 


FOUND. FLG 


EO 


$0 


If found, +1 


1210 


POS 


EO 


$1 


Position it was found in 


1220 


COUT 


■EQ 


$FDED 


Print A as ASCI 1 


1230 


PRBYTE 


■EQ 


$FDDA 


Print A as Hex 


1240 


SPEAKER 


■EQ 


$C030 


Toggle speaker location 


1250 










1260 




.OR 


$2F0 


$2F0-$2FF is expendable 


1270 




,TF 


SEARCH. OBJ 




1280 










1290 
1300 


* 








* HOOK UP TO AM 


PERS 


AND 




1310 
1320 


* 
















1330 




LDA 


#MA 1 N . PRG 


LSB 


1340 




STA 


AMP.VEC+1 




1350 




LDA 


/MA IN. PRG 


MSB 
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1360 

1370 

1380 

1390 

1400 

1410 

1420 

1430 

1440 

1450 

1460 

1470 

1480 

1490 

1500 

1510 

1520 

1530 

1540 

1550 

1560 

1570 

1580 

1590 

1600 

1610 

1620 

1630 

1640 

1650 

1660 

1670 

1680 

1690 

1700 

1710 

1720 

1730 

1740 

1750 

1760 

1770 

1780 

1790 

1800 

1810 

1820 

1830 

1840 



STA AMP.VEC+2 

LDA #$4C 

STA AMP.VEC 
RTS 



JMP opcode 
Hookup complete 



GET PARAMETERS FOR SCAN 
AND READ SECTOR 



MAIN.PRG 



JSR 


FRM.EVAL 


Get track# 


JSR 


INT.CONV 


Integer please 


LDA 


VAL 


Get answer 


STA 


IOB.TRK 




JSR 


COM.CHK 


Comma 


JSR 


FRM.EVAL 




JSR 


INT.CONV 




LDA 


VAL 




STA 


1 OB. SECT 




JSR 


COM.CHK 




JSR 


FRM.EVAL 


Put number of 


JSR 


INT.CONV 


strings in VAL 


LDA 


VAL 




STA 


NUM. STRINGS 




LDA 


#1 


Read command 


STA 


IOB.CMD 




LDA 


#0 




STA 


IOB.BUF 


BUF=$200 


STA 


1 OB. VOL 


Any vol 


LDA 


#2 





STA IOB.BUF+1 



TRY TO GET THE SECTOR 



JSR FIND.IOB 

JSR RWTS 

BCC NO. ERR 

DEC FOUND. FLG 
RTS 



Get IOB.PTR 
Get SECTOR 
DOS could read it 
Tell BASIC 



* SETUP STRINGS 



NO. ERR 



LDA #7 
STA YSAVE 



First 
OFFSETT=7 
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1850 
1860 


* 

* GET THE NEXT STRING 






1870 
1880 


* 




















1890 


GET.STNG 


LDY 




YSAVE CURRENT $ 




1900 




LDA 


(ARRAY. PTR), 


Y Get 




1910 




STA 


LEN 


length 




1920 




INY 








1930 




LDA 


(ARRAY. PTR), 


Y ADDR 




1940 




STA 


STR.PTR 






1950 




INY 








1960 




LDA 


(ARRAY. PTR), 


Y 




1970 




STA 


STR.PTR+1 






1980 




INY 








1990 




STY 




YSAVE 4 next $ 




2000 












2010 
2020 


* 










'SCAN FOR A STRING 








2030 
2040 


* 














- 






2050 


TRY.BUF 


LDX 


m 


BUFF=0 




2060 


TRY. CHAR 


LDY 


m 


STRING=0 




2070 


NXT.CHAR 


LDA 


(STR.PTR) ,Y 


Get CHAR 




2080 




BIT 


WILD. ON 


Active? 




2090 




BPL 


NO. WILD 






2100 




CMP 


WILD. CARD 


Match? 




2110 




BEQ 


MATCHED1 






2120 


NO. WILD 


CMP 


BUFF.X 


Match? 




2130 




BEQ 


MATCHED1 






2140 




INX 








2150 




BNE 


TRY. CHAR 






2160 




BEQ 


NXT. STRING 






2170 












2180 


MATCHED1 


INY 




String done? 




2190 




CPY 


LEN 






2200 




BCS 


TELL.B 


Yes! 




2210 




INX 




Next BUFFR 




2220 




BNE 


NXT.CHAR 


Not EOB 




2230 












2240 
2250 


* 










* TRY FOR ANOTHER STRING 






2260 
2270 


* 




















2280 


NXT. STRING 










2290 




DEC 


NUM. STRINGS 


Done? 




2300 




BNE 


GET.STNG 






2310 




RTS 








2320 












2330 
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2330 
2340 
2350 
2360 
2370 
2380 
2390 
2400 
2410 
2420 
2430 
2440 
2450 
2460 
2470 
2480 
2490 
2500 
2510 
2520 
2530 
2540 
2550 
2560 
2570 
2580 
2590 
2600 
2610 
2620 
2630 
2640 
2650 
2660 
2670 
2680 
2690 
2700 
2710 
2720 
2730 
2740 
2750 



* TELL BASIC ABOUT MATCH 

* 


TELL.B 


INC FOUND. FLG 


Found! 




INX 


For continue 


BACKUP 


DEX 


Backup to 




DEY 


Start of $ 




BNE BACKUP 






STX POS 




* 


RTS 




'CONTINUE SCANNING 

* 




LDX POS 


Get old POS 




INX 






BNE TRY. CHAR 


Go! 


* 


BEQ NXT. STRING 


.always 


* PR INT A HEX NUMBER 




LDA #$A4 


Print a "$" 




JSR COUT 






LDA #0 


Dummy number 


* 


J MP PRBYTE 


Print it 


* BOINK! 






* 







TOGGLE 
DELAY 



LDY #$6E 

LDA SPEAKER 

TYA 

SEC 

SBC #1 

BNE DELAY 

DEY 

BNE TOGGLE 

RTS 



Set loop 
Click 

Delay loop gets 
shorter each 
time through 



S 
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Modified ROMs 

As explained in the article How To Use This Book on page 5, 
some softkeys require the user to enter the Monitor during the 
execution of a copy-protected program. One way would be to 
install a modified Reset vector on the computer's motherboard. 
Here's how. 



by Ernie Young 
(Hardcore COMPUTIST # 6, page 14) 

WARNING 

SoftKey Publishing assumes no responsibility for any 
damage done to the computer while following this 
procedure. 



Requirements: 

48K Apple ][ Plus 

One disk drive 

A supply of 2716 16K EPROM chips 

Several 24-pin, low-profile sockets 

Access to an EPROM burner 

Knowledge of Assembly Language is helpful... 



In the article Hidden Locations Revealed (Hardcore 
COMPUTIST # 3, page 10) the author addressed the idea of what 
to do when performing a softkey on a program that uses the text 
page for valid code use. 

He suggested a small hardware modification to the Apple to 
enable one to see the text page of a program while another page 
(i.e., hi-res page) was supposed to be displayed. 

What I am about to discuss is an inexpensive modification to 
your computer that is about as good (maybe even better) than those 
cards that save all of memory. Needless to say, this is a very good 
means to achieve that end on programs which use volatile (easily 
eraseable) memory. 

Volatile memory includes such locations as a great deal of page 
zero, page one, page two and the text page location at $400 to $7FF. 
For example, as you type and characters are echoed onto the text 
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screen, locations $400— $7FF change. Each ASCII character is 
represented on the screen in one of the locations in the range of 
$400 to $7FF. 

In most softkeys it has been assumed that by hitting |reset| 
(with the old-style Monitor, of course) and dropping into Monitor, we 
can snoop through memory and find what we need to save or 
disregard. 

When the text page and the keyboard input buffer (page 2) is 
used for valid program storage, resetting will destroy these volatile 
memory locations. Indeed, it is no new trick to many software 
publishers that using the text page and other volatile memory 
locations is a good way to keep the public from snooping through 
their programs and possibly reducing them to a more copyable form. 

Hitting (reset] 

To understand this more clearly, let's examine what happens 
when you press I reset | . 

Instead of going through the input latch at $C000 as the other 
keys on the keyboard do, the I reset | key is connected directly to 
pin 40 of the 6502 microprocessor chip. This is the big 
long chip just in front of the slots on the motherboard. 

When I reset | is pushed, pin 40 gets connected to ground and 
the computer unconditionally jumps to the address contained in 
locations $FFFC and $FFFD. These locations are in the F8-monitor 
ROM and, depending on which F8-monitor ROM you have, your 
computer can do one of two things. 

There are two flavors of Monitor ROMs in the Apple world, 
known as the 'autostart' and the 'old-style' Monitor ROMs. 

In the 'autostart' F8-ROM, which is used in the Apple 11 Plus 
model, these locations point to a series of routines that check to see 
if the computer is just being powered up or if I reset | had been 
pressed before. If it finds the power already on, it jumps to the 
routine pointed to by locations $3F2 and $3F3. Normally, they point 
to the BASIC warm-start and you get the Applesoft prompt. 

The 'old-style' Monitor found in the older Apple It models has 
$59 and $FF stored in locations $FCCC and $FCCD. This causes 
the Apple to jump to the routines at $FF59. These routines set the 
keyboard for input, the monitor (or TV) for output, the text page 
for viewing and, finally, it puts you in the machine language monitor 
with an asterisk prompt. 

In the 'autostart' ROM, anyone can program where they want 
their Apple to go, when I reset | is pressed, by changing the code at 
$3F2 accordingly. In the 'old-style' Monitor, however, there is no 
way to prevent a reset from occuring and, eventually, giving you 
the Monitor prompt. This is obviously essential if you want to break 
into a program to examine the code but this is no guarantee to 
performing a working softkey. 
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Destructive [ 



RESET! 

The problem is that when we I reset | into the Monitor, many 
locations are destroyed. These locations may or may not be essential 
to thne line when the Monitor prompt is printed. This scrambles 
locations $400— $7F8 and destroys locations $400— $427 
completely. 

Most software publishers know this and use it against us to keep 
us 'unwanteds' from snooping through their code. This becomes 
evident if you hit I reset) and find that the text page is filled with 
garbage and other incomprehensible junk. 

Ultimately, we would like to be able to save locations $00 — 
$8FF in non-volatile memory upon hitting I reset | and, then, to exit 
to the Monitor for examination. I include $800 — $8FF, even though 
it doesn't get destroyed on dHH)ing, because it gets wiped out 
when we do a 48K slave disk boot. The best place to store this 
information would be at $2000— $28FF, since this is normally the 
hi-res page used in most games and is not destroyed by booting a 
slave disk. (Remember that $00— $8FF and $9600— $BFFF are 
destroyed when booting a 48K slave disk). 

In order to save these volatile memory addresses into locations 
$2000— $28FF, we need to change what normally happens when 
we hit I reset | . This may seem impossible to do since what happens 
when we hit that key is predetermined in ROM and, therefore, is 
not changeable. 

Well, yes and no. 

We can copy the code from the F8-ROM down to RAM, change 
it and burn it into a new ROM! 

Help from EPROM 

Of course, this assumes that you have access to an EPROM 
(Eraseable, Programmable, Read-Only Memory) programmer and 
some 2716 EPROM chips. 

Most computer stores that are worth anything will be willing 
to burn you a new 27 16 chip for a reasonable fee if you do not have 
your own access to an EPROM programmer. These 2716 chips are 
available from many sources. See the back of any BYTE magazine 
for names of suppliers of the EPROM if you can't find any locally 
in your area 

So, assuming you have access to these two resources, all we 
have to do is alter the normal F8-code. 

First, let's develop the code that we will need to jump to when 
the I reset | key is pressed, moving memory from $00— $8FF to 
$2000— $28FF. This requires some knowledge of Assembly 
language but if you are not familiar with machine code try and follow 
along anyway. 
(While going to the extreme of burning new ROM, it would also 
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be a good idea to change the NMI (non-maskable interrupt) vector 
to point to our new routine). 

I 1 | Let's start by moving the code at $F800— $FFFF down to 
RAM. Location $2800 would be a good place for it. 

I 2 | We need a place to put our 'Super Saver' routine. We don't 
have any open memory locations, but we do have some routines 
in the monitor code which we never use, like the tape read and write 
routines. These will have to be sacrificed for our new routines. To 
enter this code, carefully type in the hexdump. 

I 3 | Now, change the reset and the NMI vectors in our RAM 
version of the F8-ROM 

2FFA:CD FE CD FE 

I 4 | Save the file onto a disk with the command: 
BSAVE MODIFIED F8.ROM,A$2800,L$800 



I 5 | Now, burn your new EPROM! 

Plugging-in your New F8 Monitor ROM 

In order to use your new, modified ROM, we must install it 
in the motherboard (or in an Integer card). 

But, first, we have to make one explanation: both the 2716 you 
just burned and the original 9316 ROM, used by Apple, are Read- 
Only-Memory devices, containing 2K bytes of information, which 
gives us 16K bits of information. Hence, 16K ROMs. But, 
unfortunately, they are not totally compatible. The arrangement of 
the pin numbers are slightly different. 

To use your new EPROM, you must either make these changes 
directly to the chip itself (not advisable), or to a jumper socket which 
your new chip will plug into. This, then, will be plugged into the 
motherboard, or Integer card. 

For the latter, you will need a 24-pin, low-profile socket, which 
is available from Radio Shack or similar stores. 

With the socket upside-down and the pins looking you in the 
face, it should look like this: 

13 14 15 16 17 18 19 20 21 22 23 24 



1 1 1 1 1 1 1 1 1 1 1 1 


< 


1 1 1 1 1 1 1 1 1 1 1 1 



12 11 10 09 08 07 06 05 04 03 02 01 
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Your soldering skills come in handy now. Using some short, 
hi-gauge wire (wire-wrap is preferrable, but anything in the 26-30 
gauge will work), solder a piece between pins 21 and 24 and then 
solder a piece between pins 12 and 18. 

Be extremely careful not to short out the wire or to cross-solder 
any pins! Also, try and solder as close to the base of the socket as 
possible, since you have to cut off pins 18 and 21 after you have 
finished soldering them. 

The next step is to cut off pins 18 and 21 as close to the base 
of the socket as you can, without cutting the freshly soldered wires. 
Both pins must be short enough so they will not touch the socket 
you will be plugging this one into. The socket should look like this: 



13 14 15 16 17 18 19 20 21 22 23 24 
1 1 11 1 , 11 , 11 



i i i i i i i i i i i i 



12 11 10 09 08 07 06 05 04 03 02 01 

Double-check your soldering and the connections to be certain 
that pins 18 and 21 are cut off. 
Make sure the power is OFF before continuing. 

Now, carefully remove the ROM labelled F8 (it is the socket 
farthest to the left that has 24 pins, as you face the keyboard) and 
plug this jumper socket into the motherboard. (You could plug this 
socket into your integer card in the same fashion). Now, plug the 
modified EPROM into this jumper socket and you will all be done! 

Go ahead and turn on your Apple and, if you had followed these 
instructions correctly, you will see the text page filled with 
"garbage." At this time, press I return | to get things going as usual. 

How to use the 'Super Saver' F8 ROM 

From now on, whenever you press I reset | the computer will just 
freeze (no beep or anything). Then, you must press one of three 
keys, depending on what you want the computer to do. 

First of all, by pressing I return | the computer will just do the 
usual kind of reset (i.e. JuMP to BASIC). Secondly, by typing G3 
the computer will act as if you have the 'old-style' F8-ROM and 
JuMP into the Monitor without any memory saves. Finally, pressing 
CG will engage the 'Super Saver,' thus, moving the volatile memory 
(locations $0000 through $900) into locations $2000 through $2900, 
with the stack pointer saved at $2901 and it will put you in the 
Monitor. 

154 The Book Of Softkeys Volume III 



Here's the process again: 

I 1 I Acquire a blank 2716 and access to an EPROM 
programmer. 

I 2J Boot a disk with normal DOS and enter the monitor: 

CALL-151 



3| Move the memory from ROM to RAM: 
2800<F800.FFFFM 

4 I Type in this hexdump. 

2ECD: 2C 00 CO 

2ED0: 10 FB 8D 10 CO AD 00 CO 
2ED8: C9 2D F0 7D B0 03 4C 62 
2EE0: FA BA 8E 01 29 A0 00 B9 
2EE8: 00 00 99 00 20 B9 00 01 
2EF0: 99 00 21 4C FD FE 20 00 
2EF8: FE 68 68 DO 6C C8 DO E7 
2F00: 84 3C 84 42 84 3E A9 09 
2F08: 85 3F A9 02 85 3D A9 22 
2F10: 85 43 20 2C FE 20 2F FB 
2F18: 20 58 FC 4C 59 FF 60 



Jy Alter the reset and the NMI vectors: 



2FFA: CD FE CD FE 

I 6 I Save the modifications: 

BSAVE MODIFIED F8ROM,A$2800,L$800 



7\ Burn the blank 2716 with this saved code. 

8 I Using a low-profile, 24-pin socket, solder pin 12 to pin 18, 



then solder pin 21 to pin 24. 

I 9j Cut off pins 18 and 21 as close to the socket body as 

possible. 

I 10 1 Plug the jumper socket into the F8 socket on the 
motherboard or Integer card. 

I 11 I Plug the modified 27 16 into the jumper socket and you are 
done! 



S 
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The Armonitor 



by Nick Galbreath 
(Hardcore COMPUTIST #12, page 23) 



Requirements: 

48K Apple with DOS 3.3 



Wouldn't it be nice to be able to find the location of that darned 
I/O ERROR on your disk? You could get out your disk-editing 
program and fix it right then and there! 

Or, how about reconstructing track/sector lists from blown files? 

What about an easy way of learning what the Disk Operating 
System (DOS) does? 

Dream no more. Your wish has been answered. 

This small program, the Armonitor, does all of the above, and 
more. 

In a nutshell, the Armonitor monitors the disk head, recording 
and printing all it does in a simple, logical way. The format of the 
recording is: 

X Y Z 

where: 

X is the operation the disk head is performing. 
The possible operations are: 

S for a seek operation 
R for a read operation 
W for a write operation 

Y and Z, the two-digit hexadecimal numbers which follow X, 
specify the track and sector on which the former operation is in 
effect. 

For example, R 04 0A would mean that DOS is attempting to 
read from track $4, sector $A. 



Typing it In 

1 I Enter the Monitor: 



CALL -151 
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I 2\ Type in this hexdump: 

0300: A9 4C 8D F5 03 A9 10 8D 
0308: F6 03 A9 03 8D F7 03 60 
0310: AD 00 BD CD 68 03 F0 OC 
0318: A2 03 BD 68 03 9D 00 BD 
0320: CA 10 F7 60 A9 20 8D 00 
0328: BD A9 39 8D 01 BD A9 03 
0330: 8D 02 BD A9 EA 8D 03 BD 
0338: 60 48 98 48 20 8B FD AE 
0340: F4 B7 BD 65 03 20 ED FD 
0348: A9 AO 20 ED FD AD EC B7 
0350: 20 DA FD A9 AO 20 ED FD 
0358: AD ED B7 20 DA FD 68 85 
0360: 48 68 85 49 60 D3 D2 D7 
0368: 84 48 85 49 

I 3| Save it. 

BSAVE ARMONITOR,A$300,L$6C 

How to Use It 

Using this utility is quite simple: BRUN the program and then 
press \$\ install the Armonitor. Unfortunately, the Armonitor really 
slows down disk-access time and can be a nuisance for long files. 
However, removing it is as easy as installing it - just re-press[&] 
and it will 'unhook' itself, waiting for another (&] to revive it again. 



i 
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Don't 
Worry 

You can still get Volumes I and II of 
The Book Of Softkeys 



Volume I: Issues 1-5 ($12.95) 



contains softkeys for: Akalabeth | Ampermagic | Apple Galaxian | Aztec | Bag of Tricks I Bill 
Budge's Trilogy | Buzzard Bait | Cannonball Blitz [ Casino | Data Reporter | Deadline i Disk 
Organizer II | Egbert n Communications Disk | Hard Hat Mack | Home Accountant | Homeword | 
Lancaster | Magic Window n | Multi-disk Catalog | Multiplan | Pest Patrol j Prisoner n | Sammy 
Lightfoot | Screen Writer II | Sneakers | Spy's Demise | Starcross | Suspended | Ultima II | 
Visifile | Visiplot | Visitrend | Wimess | Wizardry | ZorkI | Zorkll | Zorkffl | PLUS how-to 
articles and program listings of need-to-have programs used to make unprotected backups. 



Volume II: Issues 6-10 ($12.95) 



contains softkeys for: Apple Cider Spider | Apple Logo | Arcade Machine | The Artist I Bank 
Street Writer | Cannonball Blitz | Canyon Climber | Caverns of Freitag | Crush, Crumble & 
Chomp | Data Factory 5.0 | DB Master | The Dictionary | Essential Data Duplicator I & III | 
Gold Rush | Krell Logo | Legacy of Llylgamyn | Mask Of The Sun | Minit Man | Mouskattack | 
Music Construction Set | Oil's Well | Pandora's Box | Robotron | Sammy Lightfoot | Screenwriter 
II v2.2 | Sensible Speller 4.0, 4.0c, 4.1c | the Spy Strikes Back | Time Zone vl.l | Visible 
Computer: 6502 | Visidex | Visiterm | Zaxxon | Hayden Software | Sierra Online Software | 
PLUS the complete listing of the ultimate cracking program.. .Super IOB 1.5 



Volume I $12.95 + $2 shipping & handling 

Volume II $12.95 + $2 shipping & handling 

Both volumes! $20.90 + $3 shipping & handling 

Foreign orders (except Canada & Mexico), please add $5.00 per book shipping 
& handling. U.S. funds drawn on U.S. banks only. Most orders shipped within 
5 working days, however please allow 4-6 weeks delivery for some orders. 
Washington State orders add 7.8% sales tax. Send your orders to: 

SoftKey Publishing PO Box 110846-B Tacoma, WA 98411 
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Ordering Volumes I and II of 

The Book Of Softkeys 

Easy as 

12 3 



Name ID#. 

Address 

City State Zip 



Country Phone . 



Exp.. 



Signature BSK3 

I I I Volume I $12.95 + $2 ship/handling 

tL\ I Volume II $12.95 + $2 ship/handling 

O I I Both volumes! $20.90 + $3 ship/handling 



Foreign orders (except Canada & Mexico), please add $5.00 per book 
shipping & handling. U.S. funds drawn on U.S. banks only. Most orders 
shipped within 5 working days, however please allow 4-6 weeks delivery 
for some orders. Washington State orders add 7.8% sales tax. 
Send your order to: 

SoftKey Publishing 

POBox 110846-B 

Tacoma, WA 9841 1 
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We are NOT 

PIRATES! 

but we're not fools, either. 



We're serious programmers and software users who just want to 
have backup copies of any software we own. COMPUTIST 
magazine shows us HOW TO BACKUP COMMERCIAL SOFTWARE 
regardless of the maker's attempt to stop us from having legal 
copies. Don't let them stop you from protecting your own rights. 

Remove copy-protection 

from your valuable library of expensive software. The publisher of 
COMPUTIST has been showing subscribers how to unlock and modify 
commercial software for the past 5 years. Don't be one of the users 
abused by user-FIENDLY locked-up software. Subscribe. 



SUBSCRIPTIONS RATES FOR 12 ISSUES: 

□ U.S.-W2 C1U.S. First Ctas*-$45 nCanada, Mexico-$45 dOther Foreign-$75 
SAMPLE COPY: nU.S.- $4.75 DForeign- $8.00 

US funds drawn on U.S. bank. Send check or money order to: 
COMPUTIST PO Box 110846-B Tacoma, WA 98411 

□ NEW subscriber □Renew my subscription. 



Name_ 



Address 

City 

Country_ 



State 



Zip 



_Phone_ 



Exp.. 



Signature . 



BSK3 



FREE STARTED KIT 

(a $32.00 value) 

With your new subscription, you will receive a FREE software 
kit, containing several utility programs to help you remove 
copy-protection and modify your locked-up software. 
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TOP SECRET ? 

Not any more. The publisher of (Hardcore) COMPUTIST magazine has been 
showing Apple-computer users how to modify and make copyable backups 
of uncopyable (copy-protected) commercial software for the past 5 years. 

Remove copy-protection! 

It's legal. It's easy. It's fun. And once the protection is removed 
(normalized), you can then modify, make backups of all modified versions, 
pack them on hard disk, and maintain an archival file of originals while 
you use the backups. Don't risk crashing the original. Use only backups. 



sunn 



Softkey information in this Book Of Softkeys should NOT be used to make copies of copyrighted 
software for illegal distribution. The publisher does NOT condone software piracy. 

Do n't be a so ftware 

PIRATE. 

But don't be a fool, either. 



This Book Of Softkeys, like the previous volumes, shows you how to remove 
copy-protection from specific commercial software. This volume shows you 
how to deprotect the following software packages: 



Alien Addition 


■ Last Gladiator 


8 Seadragon 


Alien Munchies 


■ Learning With Leeper 


■ Sensible Speller IV 


Alligator Mix 


1 Lion's Share 


■ Snooper Troops II 


Computer Preparation SAT 


■ Master Type vl.7 


• SoftPorn Adventure 


Cut And Paste 


■ MatheMagic 


■ Stickybear series 


Demolition Division 


■ Minus Mission 


■ Suicide 


Einstein Compiler version 5.3 


1 Millionaire 


■ TellStar 


Escape From Rungistan 


■ Music Construction Set 


■ Tic Tac Show 


Financial Cookbook 


■ One On One 


■ Time Is Money 


Flip Out 


■ PFS software 


• Transylvania 


Hi-Res Computer Golf II 


■ The Quest 


■ Type Attack 


Knoware 


■ Rocky's Boots 


■ Ultima ffl Exodus 


LafPak 


1 Sabotage 


■ Zoom Graphics 



Plus other helpful articles and utility software LISTings. 



